Topic
  • 2 replies
  • Latest Post - ‏2013-08-20T05:26:43Z by MPKeshava
VasanthJayakumar
VasanthJayakumar
1 Post

Pinned topic A1 - Unvalidated Input - resolution

‏2010-07-09T17:27:06Z |
A1 - Unvalidated Input - request.setAttribute & session.setAttribute

During a recent scan of my application the vulnerability report(OWASP Top Ten Report) pointed to instances of the A1 - Unvalidated Input in the request.setAttribute & session.setAttribute method calls.
The CWE id for the vulnerability is http://cwe.mitre.org/data/definitions/20.html

My quesion is how do i resolve these vulnerabilities when there could be no validation done for the inputs. ex: There is a common method which sets a given Object in the session and all these Objects are created using the system without user input but the AppScan still gives this as vulnerabilities.

Also some of the setAttribute calls are marked as high priority and some medium and lower priority. How is this determined?
Updated on 2011-12-14T09:26:36Z at 2011-12-14T09:26:36Z by prashanth36
  • prashanth36
    prashanth36
    2 Posts

    Re: A1 - Unvalidated Input - resolution

    ‏2011-12-14T09:26:36Z  
    Hi,

    Even i am facing same issues and my application is similar to yours ( which doesn't need any user input ). Even then its reporting the same. Did you find any solution for these ?

    Thanks
    Prashanth
  • MPKeshava
    MPKeshava
    1 Post

    Re: A1 - Unvalidated Input - resolution

    ‏2013-08-20T05:26:43Z  
    Hi,

    Even i am facing same issues and my application is similar to yours ( which doesn't need any user input ). Even then its reporting the same. Did you find any solution for these ?

    Thanks
    Prashanth

    Too bad that I have the same problem now after a couple of years, with no one answering. Is the question itself flawed? (Euphemism for "stupid" :-))