Security Control not taking effect

  • Updated

 

Issue

A Security Control has been defined, however it doesn't appear to be taking effect and vulnerabilities using the control are still being reported.

Cause

The most common cause of an ineffective Security Control is a misconfigured Security Control. The following are real world examples of incorrectly specified method signatures:

Example-1: An object is used

com.acme.controller.CheckSSNServlet(com.acme.pojo.update.UpdateAccount*)

The parameter being validated/sanitized must be a String. In this case the user had instead specified an object. 

Valid types are String and String[]

 

Example-2: Generics and shorthand are used in the signature

com.acme.controller.CheckSSNServlet.validateUpdateRecords(HttpServletRequest, List<String>, java.lang.String*)

There's a couple of issues with this case. Generics were used in the signature, List<string>, which shouldn't be included as they're a compiler construct and not related to runtime.

Classes and packages need to be fully written out,  shorthand can't be used. List<String> should be java.util.List and HttpServletRequest should be javax.servlet.HttpServletRequest

 

Example-3: Not adhering to the correct case

com.acme.persistence.impl.GroupPersistenceImpl.getGroupListInCompany(Java.lang.string[]*)

The method signature is case sensitive, however the following cites Java.lang.string instead of the correct java.lang.String

 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request