Description

This web application is using Object Reflection in an insecure way. Object Reflection is a programming technique used to inspect and change the behavior of a program at runtime. Object Reflection allows instantiation of new objects, methods, and get/set operations on class variables dynamically at run time without having prior knowledge of its implementation.

It was determined that an attacker can control the class name to be instantiated via externally-controlled user input.

Remediation

Apply strict input validation by using allowlists or indirect selection to ensure that the user is only selecting allowable classes or code.

References

Related Vulnerabilities