Skip to main content
Detected input from a HTTPServletRequest going into a session command, like setAttribute. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what’s trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls.
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-501: Trust Boundary Violation
OWASP:
- A04:2021 - Insecure Design