Spring View Manipulation Vulnerability

In this article, we explain how dangerous an unrestricted view name manipulation in Spring Framework could be. Before doing so, lets look at the simplest Spring application that uses Thymeleaf as a templating engine: Structure: HelloController.java: @Controller public class HelloController { @GetMapping(“/”) public String index(Model model) { model.addAttribute(“message”, “happy birthday”); return “welcome”; } } Due […]

Continue Reading