...
...
...
...
...
Discoverability | 0 |
|---|
DREAD Score | 3 |
|---|
5.1.x | Yes |
|---|
RPI | Yes |
|---|
Quote |
|---|
|
...
Every field, that is submitted from a form is considered as belonging to unit that processes it. This poses a security threat, because fieldĀ absenceĀ on a form doesn't mean, that if added it won't be processed.
...
Maybe we need to use deny-by-default logic, where none of fields by default isn't allowed to be submitted from a form and developer must explicitly define which fields are allowed. Right now we using same policy with permissions: everything is denied and if developer decides to:
give user permission, that is bound to an event being executed
or by other means allows access to an event
then he will be responsible for that. Hopefully developer would think twice before allowing to set forged password reset token, that in theory would allow anyone to reset any other user's password using standard "Forgot Password" form.
Also I've found a video, which explains several form-related security issues and methods, used to solve them in Laravel framework:
| Widget Connector |
|---|
| overlay | youtube |
|---|
| _template | com/atlassian/confluence/extra/widgetconnector/templates/youtube.vm |
|---|
| width | 400px |
|---|
| url | http://www.youtube.com/watch?v=kVbPdLvLxUQ |
|---|
| height | 300px |
|---|
|
https://laravel.com/docs/11.x/eloquent#mass-assignment
Related Tasks
| Jira Legacy |
|---|
| server | In-Portal Issue Tracker | System Jira |
|---|
| serverId | 513b375f-8291-3313-9d9f-704c39b1f915 |
|---|
| key | INP-1291 |
|---|
|