Security Control not taking effect

  • Updated



A Security Control has been defined, however it doesn't appear to be taking effect and vulnerabilities using the control are still being reported.


The most common cause of an ineffective Security Control is a misconfigured Security Control. The following are real world examples of incorrectly specified method signatures:

Example-1: An object is used


The parameter being validated/sanitized must be a String. In this case the user had instead specified an object. 

Valid types are String and String[]


Example-2: Generics and shorthand are used in the signature

com.acme.controller.CheckSSNServlet.validateUpdateRecords(HttpServletRequest, List<String>, java.lang.String*)

There's a couple of issues with this case. Generics were used in the signature, List<string>, which shouldn't be included as they're a compiler construct and not related to runtime.

Classes and packages need to be fully written out,  shorthand can't be used. List<String> should be java.util.List and HttpServletRequest should be javax.servlet.HttpServletRequest


Example-3: Not adhering to the correct case


The method signature is case sensitive, however the following cites Java.lang.string instead of the correct java.lang.String


Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request