Struts: Incomplete validate() Method DefinitionID: 103 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Variant |
Description
The application has a validator form that either does not
define a validate() method, or defines a validate() method but does not call
super.validate().
Extended DescriptionIf you do not call super.validate(), the Validation Framework cannot check
the contents of the form against a validation form. In other words, the
validation framework will be disabled for the given form.
Applicable PlatformsLanguage: Java
Time Of Introduction
Common Consequences
Scope | Technical Impact | Notes |
---|
Other | Other | Disabling the validation framework for a form exposes the application
to numerous types of attacks. Unchecked input is the root cause of
vulnerabilities like cross-site scripting, process control, and SQL
injection. |
ConfidentialityIntegrityAvailabilityOther | Other | Although J2EE applications are not generally susceptible to memory
corruption attacks, if a J2EE application interfaces with native code
that does not perform array bounds checking, an attacker may be able to
use an input validation mistake in the J2EE application to launch a
buffer overflow attack. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Implementation | | Implement the validate() method and call super.validate() within that
method. | | |
RelationshipsThis could introduce other weaknesses related to missing input
validation.
Related CWE | Type | View | Chain |
---|
CWE-103 ChildOf CWE-896 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In the following Java example the class RegistrationForm is a Struts
framework ActionForm Bean that will maintain user input data from a
registration webpage for an online business site. The user will enter
registration data and the RegistrationForm bean in the Struts framework will
maintain the user data. Tthe RegistrationForm class implements the validate
method to validate the user input entered into the form.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
7 Pernicious Kingdoms | | Struts: Erroneous validate() Method | |
References:None