| License Type | SaaS & On-Premise |
| Agent Mode | Assess |
| Main Product Category | Java Agent |
| Sub Category | Policy Management |
Issue
A Security Control has been defined, however it doesn't appear to be taking effect and vulnerabilities using the control are still being reported.
Cause
The most common cause of an ineffective Security Control is a misconfigured Security Control. The following are real world examples of incorrectly specified method signatures:
-
The parameter being validated/sanitized must be a String. In this case the user had instead specified an object:
com.acme.controller.CheckSSNServlet(com.acme.pojo.update.UpdateAccount*)
-
There's a couple of issues in the following case. They've used generics in the signature, List<string>, which shouldn't be included as they're a compiler construct and not related to runtime. They also used "List" rather than the full package name, "java.util.List":
com.acme.controller.CheckSSNServlet.validateUpdateRecords(HttpServletRequest, List<String>, java.lang.String*) -
The method signature is case sensitive, however the following cites "Java.lang.string" instead of the correct "java.lang.String". Bonus points here however, for trying to sanitize a String array, which is a supported case:
com.acme.persistence.impl.GroupPersistenceImpl.getGroupListInCompany(Java.lang.string[]*)