Hi
we are having one web application developed using spring and deployed in
jboss application server. And every thing working fine and recently security team team has done audit and found some of the issues.
Here the issue is they formed the URL as and tested and it is working fine.
http://localhost:9001/PPMWeb/doLoginAction.to?username=appscanPC&password=PPMUSER&button=LOGIN&operation=Login&logoutFlg=
But they manipulated the URL as
http://localhost:9001/PPMWeb/doLoginAction.to?username=appscanPC&password=PPMUSER&button=LOGIN&operation=Login&logoutFlg.=
here instead of parameter name logoutFlg (which is a hidden variable in
jsp and defined in form bean) they manipulated as logoutFlg. (given one dot at the end) and tried accessing the URL then it is giving the exception
javax.servlet.ServletException: BeanUtils.populate
org.apache.struts.util.RequestUtils.populate(RequestUtils.java:495)
org.apache.struts.action.RequestProcessor.processPopulate(RequestProcessor.java:805)
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:203)
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1194)
org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
javax.servlet.http.HttpServlet.service(HttpServlet.java:697)
javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
com.tcs.telecom.ppm.filter.SessionIdFilter.doFilter(SessionIdFilter.java:73)
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)
root cause
java.lang.IllegalArgumentException: No bean specified
org.apache.commons.beanutils.PropertyUtilsBean.getPropertyDescriptor(PropertyUtilsBean.java:751)
org.apache.commons.beanutils.BeanUtilsBean.setProperty(BeanUtilsBean.java:937)
org.apache.commons.beanutils.BeanUtilsBean.populate(BeanUtilsBean.java:811)
org.apache.commons.beanutils.BeanUtils.populate(BeanUtils.java:298)
org.apache.struts.util.RequestUtils.populate(RequestUtils.java:493)
org.apache.struts.action.RequestProcessor.processPopulate(RequestProcessor.java:805)
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:203)
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1194)
org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
javax.servlet.http.HttpServlet.service(HttpServlet.java:697)
javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
com.tcs.telecom.ppm.filter.SessionIdFilter.doFilter(SessionIdFilter.java:73)
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)
So would like to know how to handle such manipulation issues and redirect to the user defined page? where exactly I need to handle? We somehow handled this error in one of the customized filter but the issue here if we put the code the images in the pages are not getting loaded properly.
Could you please help us in handling such issues?