J2EE Misconfiguration: Unsafe Bean Declaration

From OWASP

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

This article includes content generously donated to OWASP by .

Last revision (mm/dd/yy): 2/26/2009

Vulnerabilities Table of Contents

Description

Entity beans that expose a remote interface become part of an application's attack surface. For performance reasons, an application should rarely use remote entity beans, so there is a good chance that a remote entity bean declaration is an error.

Risk Factors

• Talk about the factors that make this vulnerability likely or unlikely to actually happen
• Discuss the technical impact of a successful exploit of this vulnerability
• Consider the likely [business impacts] of a successful attack

Examples

	<ejb-jar>
		<enterprise-beans>
			<entity>
				<ejb-name>EmployeeRecord</ejb-name>
				<home>com.wombat.empl.EmployeeRecordHome</home>
				<remote>com.wombat.empl.EmployeeRecord</remote>
				...
			</entity>
			...
		</enterprise-beans>
	</ejb-jar>

Related Attacks

• Attack 1
• Attack 2

Related Vulnerabilities

• Vulnerability 1
• Vulnerabiltiy 2

Related Controls

• Control 1
• Control 2

Related Technical Impacts

• Technical Impact 1
• Technical Impact 2

References

TBD