Sep 12, 2022
Mass Assignment: Request Parameters Bound into Persisted Objects
Explanation
Persistent objects are bound to the underlying database and updated automatically by the persistence framework, such as Hibernate or JPA. Allowing these objects to be dynamically bound to the request by Spring MVC will let an attacker to inject unexpected values into the database by providing additional request parameters.
SOLUTION
We should never use persistent bean(Hibernate entity) as it is in request directly. We should wrap it in a request wrapper class
More Fortify Solutions :