Expression Language (EL) allows JSP pages to easily access application data stored in user-defined JavaBeans components as well the implicit objects. In addition, JSP pages can also invoke arbitrary public and static methods and perform arithmetic operations using EL expressions.
By allowing attackers to inject EL expressions through insufficiently validated user input, an application could grant unauthorized access to sensitive application and server information. Expression Language injection can also allow an attacker to evade HTTPOnly access restrictions imposed on cookies by exploiting access to the implicit cookie object made available in EL expressions.

A file disclosure occur when:
1. Data enters a program from an untrusted source.


2. The data is used to dynamically construct a path.

Example 1: The following code takes untrusted data and uses it to build a path which is used in a server side forward.

...
String returnURL = request.getParameter("returnURL");
	RequestDispatcher rd = request.getRequestDispatcher(returnURL);
	rd.forward();
...

Example 2: The following code takes untrusted data and uses it to build a path which is used in a server side forward.

...
	<% String returnURL = request.getParameter("returnURL"); %>
	<jsp:include page="<%=returnURL%>" />
	...

If an attacker provided a URL with the request parameter matching a sensitive file location, they would be able to view that file. For example, "http://www.yourcorp.com/webApp/logic?returnURL=WEB-INF/applicationContext.xml" would allow them to view the applicationContext.xml of the application.
After the attacker had the applicationContext.xml, they could locate and download other configuration files referenced in the applicationContext.xml or even class or jar files. This would allow attackers to gain sensitive infomation about an application and target it for other types of attack.

A file disclosure occur when:
1. Data enters a program from an untrusted source.


2. The data is used to dynamically construct a path.

Example 1: The following code takes untrusted data and uses it to build a path which is used in a server side forward.

...
	String returnURL = request.getParameter("returnURL");
	return new ActionForward(returnURL);
	...

If an attacker provided a URL with the request parameter matching a sensitive file location, they would be able to view that file. For example, "http://www.yourcorp.com/webApp/logic?returnURL=WEB-INF/applicationContext.xml" would allow them to view the applicationContext.xml of the application.
After the attacker had the applicationContext.xml, they could locate and download other configuration files referenced in the applicationContext.xml or even class or jar files. This would allow attackers to gain sensitive information about an application and target it for other types of attack.

In AI applications, system prompts provide pre-processing instructions or context that guide the AI responses. Attackers can craft inputs that, when embedded as system prompts, alter the behavior of the AI model to execute unauthorized operations or disclose sensitive information. In the case of persistent prompt injection this untrusted input typically comes from database or a back-end data store as opposed to a web request.

Example 1: The following code illustrates a system prompt injection to an AI chat client that uses Spring AI:

  @GetMapping("/prompt_injection_persistent")
  String generation(String userInput1, ...) {
      Statement stmt = conn.createStatement();
      ResultSet rs = stmt.executeQuery("SELECT * FROM users WHERE ...");
      String userName = "";

      if (rs != null) {
        rs.next();
        userName = rs.getString("userName");
      }

      return this.clientBuilder.build().prompt()
          .system("Assist the user " + userName)
          .user(userInput1)
          .call()
          .content();
  }

In this example, the attacker manipulates unvalidated input to a system prompt, which can lead to a security breach.

Session fixation vulnerabilities occur when:

1. A web application authenticates a user without first invalidating the existing session, thereby continuing to use the session already associated with the user.
2. An attacker can force a known session identifier on a user so that, after the user authenticates, the attacker has access to the authenticated session.

In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to authenticate against the server using that session identifier, giving the attacker access to the user's account through the active session.

Some frameworks such as Spring Security automatically invalidates existing sessions when creating a new one. This behaviour can be disabled leaving the application vulnerable to this attack.

Example 1: The following example shows a snippet of a Spring Security protected application where session fixation protection has been disabled.

	<http auto-config="true">
        ...
        <session-management session-fixation-protection="none"/>
	</http>

Even given a vulnerable application, the success of the specific attack described here depends on several factors working in the attacker's favor: access to an unmonitored public terminal, the ability to keep the compromised session active, and a victim interested in logging into the vulnerable application on the public terminal. In most circumstances, the first two challenges are surmountable given a sufficient investment of time. Finding a victim who is both using a public terminal and interested in logging into the vulnerable application is possible as well, as long as the site is reasonably popular. The less popular the site, the lower the odds of an interested victim using the public terminal and the less chance of success for the attack vector previously described.

The biggest challenge an attacker faces in exploiting session fixation vulnerabilities is inducing victims to authenticate against the vulnerable application using a session identifier known to the attacker. In Example 1, the attacker does this through an obvious direct method that does not suitably scale for attacks involving less well-known web sites. However, do not be lulled into complacency; attackers have many tools in their belts that help bypass the limitations of this attack vector. The most common technique attackers use involves taking advantage of cross-site scripting or HTTP response splitting vulnerabilities in the target site [1]. By tricking the victim into submitting a malicious request to a vulnerable application that reflects JavaScript or other code back to the victim's browser, an attacker can create a cookie that causes the victim to reuse a session identifier controlled by the attacker.

It is worth noting that cookies are often tied to the top level domain associated with a given URL. If multiple applications reside on the same top level domain, such as bank.example.com and recipes.example.com, a vulnerability in one application can enable an attacker to set a cookie with a fixed session identifier that is used in all interactions with any application on the domain example.com [2].

Other attack vectors include DNS poisoning and related network-based attacks where an attacker causes the user to visit a malicious site by redirecting a request for a valid site. Network-based attacks typically involve a physical presence on the victim's network or control of a compromised machine on the network, which makes them harder to exploit remotely, but their significance should not be overlooked. Less secure session management mechanisms, such as the default implementation in Apache Tomcat, allow session identifiers normally expected in a cookie to be specified on the URL as well. This enables an attacker to cause a victim to use a fixed session identifier simply by emailing a malicious URL.

Popular spreadsheet processors such as Apache OpenOffice Calc and Microsoft Office Excel support powerful formula operations that might enable attackers in control of the spreadsheet to run arbitrary commands on the underlying system or leak sensitive information on the spreadsheet.

As an example, the attacker may inject the following payload as part of a CSV field: =cmd|'/C calc.exe'!Z0. If the user who opens the spreadsheet trusts the origin of the document, they might accept all the security prompts presented by the spreadsheet processor and let the payload (in this example, opening the Windows calculator) run on their system.

Example 1: The following example shows a Spring Controller that generates a CSV response with non-sanitized user-controlled data:

    @RequestMapping(value = "/api/service.csv")
    public ResponseEntity<String> service(@RequestParam("name") String name) {

        HttpHeaders responseHeaders = new HttpHeaders();
        responseHeaders.add("Content-Type", "application/csv; charset=utf-8");
        responseHeaders.add("Content-Disposition", "attachment;filename=file.csv");

        String data = generateCSVFor(name);

        return new ResponseEntity<>(data, responseHeaders, HttpStatus.OK);
    }

An HTTPS stripping attack is a type of man-in-the-middle attack where the attacker watches all the HTTP traffic for location headers and links that reference HTTPS and replaces them with HTTP ones. The attacker keeps a list of all HTTP substitutions made so that they can make the HTTPS request back to the server. All stripped HTTP connections are proxied out to the server over HTTPS. All traffic between the victim and the attacker is sent over HTTP, revealing usernames, passwords, and other private information, but the server is still receiving the expected HTTPS traffic from the attacker so nothing seems wrong.

HTTP Strict Transport Security (HSTS) is a security header that instructs the browser to always connect to the site that returning the HSTS headers over SSL/TLS during a period specified within the header. Any connection to the server over HTTP is automatically replaced with an HTTPS connection, even if the user types a URL with http:// in the browser's URL bar.

Example 1: The following code configures a Spring Security protected application to disable HSTS for subdomains:

	<http auto-config="true">
        ...
        <headers>
            ...
            <hsts include-sub-domains="false" />
        </headers>
	</http>

Regardless of the language a program is written in, the most devastating attacks often involve remote code execution, whereby an attacker succeeds in executing malicious code in the program's context. If attackers are allowed to upload files to a directory that is accessible from the Web and cause these files to be passed to a code interpreter (e.g. JSP/ASPX/PHP), then they can cause malicious code contained in these files to execute on the server.

Example 1: The following Spring MVC controller class has a parameter than can be used to handle uploaded files.

@Controller
public class MyFormController {
    ...
    @RequestMapping("/test")
    public String uploadFile (org.springframework.web.multipart.MultipartFile file) {
       ...
    }    ...
}

Even if a program stores uploaded files under a directory that isn't accessible from the Web, attackers might still be able to leverage the ability to introduce malicious content into the server environment to mount other attacks. If the program is susceptible to path manipulation, command injection, or dangerous file inclusion vulnerabilities, then an attacker might upload a file with malicious content and cause the program to read or execute it by exploiting another vulnerability.

HTTP Request Smuggling vulnerabilities arise due to the discrepancy in parsing of non-compliant HTTP headers by the front-end and back-end servers. By supplying a request that is interpreted as being of different lengths by different servers, an attacker can poison the back-end TCP/TLS socket and prepend arbitrary data to the next request or smuggle additional requests to the back-end server without the front-end server being aware of it.
There are numerous ways in which a malicious user can accomplish an HTTP Request Smuggling attack. For example, an incoming HTTP request that contains both Content-Length and Transfer-Encoding headers is interpreted differently by the front-end server and the back-end server. One honors the Content-Length header and the other the Transfer-Encoding header to determine the length of the request. This can render the application vulnerable to smuggling attacks.

The stage size set in this Flash application must meet the minimum stage requirements as defined by Adobe. Flash security best practices dictate that all Flash objects have a minimum stage of 215 pixels wide and at least 138 pixels high so that Flash Player messages from shared objects, microphone, camera, and other components can be displayed fully to the user.
To protect against clickjacking and spoofing attacks, Flash Player requires the area of the stage that displays the dialog box be visible with the default window mode set.

A Struts2 Validation file was discovered without a matching Struts2 Action. For each ActionClass, Struts2 searches for a corresponding ActionClass-validation.xml for the necessary validation constraints. In this case, a validation file in the form of ActionClass-validation.xml was found, but ActionClass does not match an Action defined in the Struts2 configuration file.

It is easy for developers to forget to update validation logic when they remove or rename action form mappings. One indication that validation logic is not being properly maintained is the presence of an unused validation form.

A Struts2 validator definition refers to an action field that does not exist.

It is easy for developers to forget to update validation logic when they remove or rename action form mappings. One indication that validation logic is not being properly maintained is the presence of an orphaned validator definition.

HTTP headers are key-value pairs sent between the client and server to provide additional information for handling HTTP requests and responses. Browser vendors mark some HTTP headers as deprecated when they no longer maintain, support, or enhance implementation of the header. Usage of these headers might create a false sense of security and increase the site's vulnerability.

Developers should rely on HTTP headers specified in the HTML standard[3] as they are supported uniformly across browsers. Using non-standard headers might provide additional features and controls but comes with limited browser support and risk of deprecation.

For example, the X-XSS-Protection header was used by developers to control the browser's behavior and offer protection against cross-site scripting (XSS). Modern browsers have better built-in protections with the use of Content Security Policy. Therefore, relying on X-XSS-Protection header can introduce new risks.

Struts uses form-bean entries to map HTML forms to actions. If the <action-mappings> element of the Struts configuration file does not contain an entry that corresponds to a relevant action form defined via a <form-bean> tag, the application logic might not be up-to-date.

Example 1: The following configuration does not contain a mapping for bean2.

<form-beans>
  <form-bean name="bean1" type="coreservlets.UserFormBean1" />
  <form-bean name="bean2" type="coreservlets.UserFormBean2" />
</form-beans>

<action-mappings>
  <action path="/actions/register1" type="coreservlets.RegisterAction1" name="bean1" scope="request" />
</action-mappings>

Applications can be exposed to several threats if default unsafe configurations exist:
- Applications deployed with default configurations can allow attackers easily to fingerprint them and identify their weaknesses.
- Default configuration can reveal file system paths to known sensitive directories including locations of installation and configuration directories.
- More critically, many installations setup a default set of credentials for initial access to administrative functions. Failure to change these credentials can lead to a full compromise of the system.
- Sample programs included with installations can further expose unrestricted access to administrative features.
- Third-party vulnerabilities often target default application setups.

An HTTP response containing a Vary header indicates that server-driven negotiation was done to determine which content should be delivered. This might indicate that different content is available based on the headers in the HTTP request. An attacker could gain access to content not intended for public consumption by submitting different values through the request headers.

It is easy for developers to forget to update validation logic when they remove or rename action form mappings. One indication that validation logic is not being properly maintained is the presence of an unused validation form.

An HTTPS stripping attack is a type of man-in-the-middle attack where the attacker watches all the HTTP traffic for location headers and links that reference HTTPS and replaces them with HTTP versions. The attacker keeps a list of all HTTP substitutions made so that they can make the HTTPS request back to the server. All stripped HTTP connections are proxied out to the server over HTTPS. All traffic between the victim and the attacker is sent over HTTP, revealing usernames, passwords, and other private information, but the server is still receiving the expected HTTPS traffic from the attacker so nothing seems wrong.


HTTP Strict Transport Security (HSTS) is a security header that instructs the browser to always connect to the site that returning the HSTS headers over SSL/TLS during a period specified within the header. Any connection to the server over HTTP is automatically replaced with an HTTPS connection, even if the user types a URL with http:// in the browser's URL bar.

Example 1: The following code configures a Spring Security protected application to disable HSTS headers:

	<http auto-config="true">
        ...
        <headers>
            ...
            <hsts disabled="true" />
        </headers>
	</http>

The XDomainRequestAllowed header, introduced in IE 8, informs browsers that they can make cross-domain requests using the XDomainRequest() object. This can enable an attacker to perform unauthorized cross-domain requests using XDomainRequest() while exploiting a standard Cross-Site Scripting (XSS) flaw. This could allow an attacker to execute JavaScript in the victim's browser to extract information and then send it to a malicious domain using a cross-domain request.

HTML5 provides the ability for browsers to request and cache part of the web application, allowing it to be accessed while the user is offline. Developers use the application cache manifest file served with the appcache extension to list resources that are part of the offline functionality. Offline cache contents are only updated when the application manifest is updated. Therefore, it is essential that browsers or intermediary proxy servers do not cache the application cache manifest file.