Description

Detects Trust Boundary Violation vulnerabilities in Java web applications where user-controlled input is stored in shared session state. This can lead to session data leakage or manipulation between users if attackers can control values stored in session attributes.

Detection Strategy

• Check for calls to setAttribute() or putValue() methods that store data in session state

• Verify the method is called on a session/request object (HttpServletRequest, HttpSession, etc.)

• Confirm the data being stored comes from user-controllable input parameters

• Flag cases where user input flows directly into session storage without proper validation

Vulnerable code example

import javax.servlet.http.HttpServletRequest;

public class Test {
    public void unsafeSession(HttpServletRequest request) {
        String param = request.getHeader("someheader");  // Unsafe: Directly using untrusted header data
        request.getSession().setAttribute("something", param);
    }
}

✅ Secure code example

import javax.servlet.http.HttpServletRequest;
import org.apache.commons.text.StringEscapeUtils;

public class Test {
    public void safeSession(HttpServletRequest request) {
        String param = request.getHeader("someheader");
        if (param != null) {
            param = StringEscapeUtils.escapeHtml4(param);  // Sanitize header data before storing...