Struts: Unvalidated Action Form| ID: 108 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Variant |
Description
Every Action Form must have a corresponding validation
form.
Extended DescriptionIf a Struts Action Form Mapping specifies a form, it must have a
validation form defined under the Struts Validator.
Applicable PlatformsLanguage: Java
Time Of Introduction
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Other | Other | If an action form mapping does not have a validation form defined, it
may be vulnerable to a number of attacks that rely on unchecked input.
Unchecked input is the root cause of some of today's worst and most
common software security problems. Cross-site scripting, SQL injection,
and process control vulnerabilities all stem from incomplete or absent
input validation. |
| ConfidentialityIntegrityAvailabilityOther | Other | Although J2EE applications are not generally susceptible to memory
corruption attacks, if a J2EE application interfaces with native code
that does not perform array bounds checking, an attacker may be able to
use an input validation mistake in the J2EE application to launch a
buffer overflow attack. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Implementation | | Map every Action Form to a corresponding validation form. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-108 ChildOf CWE-896 | Category | CWE-888 | |
Demonstrative ExamplesNone
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| 7 Pernicious Kingdoms | | Struts: Unvalidated Action Form | |
References:None
