The application overrides one of the following classes: RequestAware, ApplicationAware, SessionAware. An attacker can disrupt the logic of the application by including arbitrary data into objects of the session, the application or the request on the server side.

In Struts 2.x, there are new interfaces that allow developers to easily include information on the state of the application into the Action classes code: org.apache.struts2.interceptor.ApplicationtAware, org.apache.struts2.interceptor.SessionAware and org.apache.struts2.interceptor.RequestAware. To use the functionality of these interfaces, the developer overrides the set method (e.g., setSession for SessionAware):

public class VulnerableAction extends ActionSupport implements SessionAware {
    protected Map<String, Object> session;

@Override
    public void setSession(Map<String, Object> session) {
        this.session = session;
    }
}

On the other hand, Struts 2.x automatically binds data received from the user via a request with the Action object fields using public accessors defined in Action. Since the Aware interfaces require implementation of its public set method, this method will automatically be attached to any parameter of the request with a suitable name. An attacker can change the value of the application data at runtime with the help of this parameter.

Since these interfaces require only set methods override, if there are also the corresponding get methods implemented, then the variable changes made in the described manner will be valid on the scale of the session, not just of the current request.

Java : Unsafe encoding

DerScanner Severity Score

Do you want to fix Java : Unsafe encoding in your application?

See also