Difference between revisions of "Struts"

From OWASP
Jump to: navigation, search
Line 24: Line 24:
 
==Security in the Controller==
 
==Security in the Controller==
  
[[Struts: Form Field Without Validator]]
+
==Common errors and vulnerabilities==
 +
 
 +
[[Struts: Form Field Without Validator|Form Field Without Validator]]
 +
 
 +
[[Struts: Plug-in Framework Not In Use|Plug-in Framework Not In Use]]
 +
 
 +
[[Struts: Unused Validation Form|Unused Validation Form]]
 +
 
 +
[[Struts: Unvalidated Action Form|Unvalidated Action Form]]
 +
 
 +
[[Struts: Validator Turned Off|Validator Turned Off]]
 +
 
 +
[[Struts: Validator Without Form Field|Validator Without Form Field]]
 +
 
 +
[[Struts: Form Does Not Extend Validation Class|Form Does Not Extend Validation Class]]
 +
 
 +
[[Struts: Erroneous validate() Method|Erroneous validate() Method]]
 +
 
 +
[[Struts: Duplicate Validation Forms|Duplicate Validation Forms]]
 +
 
 +
==Auditing Tools==
 +
 
 +
[[Struts XSLT Viewer]]
  
 
[[Category:OWASP Java Project]]
 
[[Category:OWASP Java Project]]
 
[[Category:Struts]]
 
[[Category:Struts]]
 
[[Category:Java]]
 
[[Category:Java]]

Revision as of 14:35, 23 January 2008

Contents

Status

Content to be finalized. First draft

Overview

Struts is an Apache framework aimed at simplifying the creation of dynamic web applications in Java.

Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code. These are know as a Model, View and Controller. The Model defines the structure of your data being processed. The View defines everything that a end user can see. The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.

I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the official website.

Security in the Model

Validation

The Struts Validation Framework is the primary method of validating a struts based application. Struts validation consists of a few elements to be setup. To properly use Struts validation your application should have the following...

  • A validator-rules.xml file in the WEB-INF folder.
  • A validator.xml in the WEB-INF folder.
  • All ActionForms should extend org.apache.struts.validator.ValidatorForm or org.apache.struts.validator.ValidatorActionForm instead of org.apache.struts.action.ActionForm.
  • The commons-validator.jar in WEB-INF. This can be obtained here.

Security in the View

Security in the Controller

Common errors and vulnerabilities

Form Field Without Validator

Plug-in Framework Not In Use

Unused Validation Form

Unvalidated Action Form

Validator Turned Off

Validator Without Form Field

Form Does Not Extend Validation Class

Erroneous validate() Method

Duplicate Validation Forms

Auditing Tools

Struts XSLT Viewer