Struts: Form Bean Does Not Extend Validation Class| ID: 104 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Variant |
Description
If a form bean does not extend an ActionForm subclass of the
Validator framework, it can expose the application to other weaknesses related
to insufficient input validation.
Applicable PlatformsLanguage: Java
Time Of Introduction
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Other | Other | Bypassing the validation framework for a form exposes the application
to numerous types of attacks. Unchecked input is an important component
of vulnerabilities like cross-site scripting, process control, and SQL
injection. |
| ConfidentialityIntegrityAvailabilityOther | Other | Although J2EE applications are not generally susceptible to memory
corruption attacks, if a J2EE application interfaces with native code
that does not perform array bounds checking, an attacker may be able to
use an input validation mistake in the J2EE application to launch a
buffer overflow attack. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Implementation | | Ensure that all forms extend one of the Validation Classes. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-104 ChildOf CWE-896 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In the following Java example the class RegistrationForm is a Struts
framework ActionForm Bean that will maintain user information from a
registration webpage for an online business site. The user will enter
registration data and through the Struts framework the RegistrationForm bean
will maintain the user data.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| 7 Pernicious Kingdoms | | Struts: Form Bean Does Not Extend Validation
Class | |
References:None
