A1 - Unvalidated Input - request.setAttribute & session.setAttribute
During a recent scan of my application the vulnerability report(OWASP Top Ten Report) pointed to instances of the A1 - Unvalidated Input in the request.setAttribute & session.setAttribute method calls.
The CWE id for the vulnerability is http://cwe.mitre.org/data/definitions/20.html
My quesion is how do i resolve these vulnerabilities when there could be no validation done for the inputs. ex: There is a common method which sets a given Object in the session and all these Objects are created using the system without user input but the AppScan still gives this as vulnerabilities.
Also some of the setAttribute calls are marked as high priority and some medium and lower priority. How is this determined?
Pinned topic A1 - Unvalidated Input - resolution
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2011-12-14T09:26:36Z at 2011-12-14T09:26:36Z by prashanth36
prashanth36 270004WW0Y2 Posts
Re: A1 - Unvalidated Input - resolution2011-12-14T09:26:36ZThis is the accepted answer. This is the accepted answer.Hi,
Even i am facing same issues and my application is similar to yours ( which doesn't need any user input ). Even then its reporting the same. Did you find any solution for these ?
MPKeshava 270000V1Y41 Post
Re: A1 - Unvalidated Input - resolution2013-08-20T05:26:43ZThis is the accepted answer. This is the accepted answer.
- prashanth36 270004WW0Y
Too bad that I have the same problem now after a couple of years, with no one answering. Is the question itself flawed? (Euphemism for "stupid" :-))