Issue
A Security Control has been defined, however it doesn't appear to be taking effect and vulnerabilities using the control are still being reported.
Cause
The most common cause of an ineffective Security Control is a misconfigured Security Control. The following are real world examples of incorrectly specified method signatures:
Example-1: An object is used
com.acme.controller.CheckSSNServlet(com.acme.pojo.update.UpdateAccount*)
The parameter being validated/sanitized must be a String. In this case the user had instead specified an object.
Valid types are String
and String[]
Example-2: Generics and shorthand are used in the signature
com.acme.controller.CheckSSNServlet.validateUpdateRecords(HttpServletRequest, List<String>, java.lang.String*)
There's a couple of issues with this case. Generics were used in the signature, List<string>,
which shouldn't be included as they're a compiler construct and not related to runtime.
Classes and packages need to be fully written out, shorthand can't be used. List<String>
should be java.util.List
and HttpServletRequest
should be javax.servlet.HttpServletRequest
Example-3: Not adhering to the correct case
com.acme.persistence.impl.GroupPersistenceImpl.getGroupListInCompany(Java.lang.string[]*)
The method signature is case sensitive, however the following cites Java.lang.string
instead of the correct java.lang.String
.