界: Environment
本节包括的所有内容均与源代码无关,但对所创建产品的安全性仍然至关重要。因为本节涉及的问题与源代码没有直接关系,所以我们将它与其他章节分开。
Struts Misconfiguration: Missing Form Bean
Abstract
如果 Struts
action 指向不存在的 form-bean,则无法正确映射。Explanation
Struts 使用
示例 1:以下配置不含
form-bean 条目将 HTML 表单映射到操作。如果 <action> 标签的 name 属性与 form-bean 的名称不符,则无法映射操作,表示存在多余的定义或印刷错误。示例 1:以下配置不含
bean2 映射。
<form-beans>
<form-bean name="bean1" type="coreservlets.UserFormBean" />
</form-beans>
<action-mappings>
<action path="/actions/register1" type="coreservlets.RegisterAction1" name="bean1" scope="request" />
<action path="/actions/register2" type="coreservlets.RegisterAction2" name="bean2" scope="request" />
</action-mappings>
References
[1] Apache Struts 1.3 Specification
[2] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[3] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[4] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[5] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[6] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[7] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[8] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
desc.config.java.struts_misconfiguration_missing_form_bean