界: Environment

本節包括原始程式碼之外的所有內容,但對於建立中產品的安全性仍至關重要。由於此領域所涵蓋的問題與原始程式碼沒有直接關係,因此我們將其與其他領域分開。

Struts Misconfiguration: Missing Action Input

Abstract
省略可傳回驗證錯誤的已命名 Struts Action 的 input 屬性視為錯誤。
Explanation
每當已命名動作傳回驗證錯誤[2]時,Struts 規格就會要求 input 屬性。發生驗證錯誤時,input 屬性會指定顯示錯誤訊息的頁面。
範例 1:以下組態定義已命名的驗證作業動作,但並未指定 input 屬性。

<action-mappings>
  <action   path="/Login"
            type="com.LoginAction"
            name="LoginForm"
            scope="request"
            validate="true" />
</action-mappings>
References
[1] Apache Struts Specification
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[4] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[5] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[6] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[7] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
desc.config.java.struts_misconfiguration_missing_action_input