Package com.h3xstream.findsecbugs.injection.trust

Trust Boundary Violation is fancy name to describe tainted value passed directly to session attribute.

See: Description

Class Summary

Class	Description
TrustBoundaryViolationAttributeDetector	Trust Boundary Violation is fancy name to describe tainted value passed directly to session attribute.
TrustBoundaryViolationValueDetector

Package com.h3xstream.findsecbugs.injection.trust Description

Trust Boundary Violation is fancy name to describe tainted value passed directly to session attribute. This could be an expected behavior that allow an attacker to change the session state.

When the parameter is dynamic, it is a lot more suspicious than when it is a dynamic value. setAttribute( suspiciousValue, "true") vs setAttribute( "language" , commonDynamicValue)

For this reason, the trust boundary violation was split in two detectors. This will allow user to hide the low priority of this detector.

See Also:

TrustBoundaryViolationAttributeDetector, TrustBoundaryViolationValueDetector