[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

248392

 
 

909

 
 

195452

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Struts: Incomplete validate() Method Definition

ID: 103Date: (C)2012-05-14   (M)2022-10-10
Type: weaknessStatus: DRAFT
Abstraction Type: Variant





Description

The application has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().

Extended Description

If you do not call super.validate(), the Validation Framework cannot check the contents of the form against a validation form. In other words, the validation framework will be disabled for the given form.

Applicable Platforms
Language: Java

Time Of Introduction

  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Other
 		Other
 		Disabling the validation framework for a form exposes the application to numerous types of attacks. Unchecked input is the root cause of vulnerabilities like cross-site scripting, process control, and SQL injection.
 
Confidentiality
Integrity
Availability
Other
 		Other
 		Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 		 Implement the validate() method and call super.validate() within that method.
 		  

Relationships
This could introduce other weaknesses related to missing input validation.

Related CWETypeViewChain
CWE-103 ChildOf CWE-896 Category CWE-888  

Demonstrative Examples   (Details)

  1. In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and the RegistrationForm bean in the Struts framework will maintain the user data. Tthe RegistrationForm class implements the validate method to validate the user input entered into the form.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
7 Pernicious Kingdoms  Struts: Erroneous validate() Method
 		 

References:
None

© SecPod Technologies