Struts: Non-private Field in ActionForm ClassID: 608 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Variant |
Description
An ActionForm class contains a field that has not been declared
private, which can be accessed without using a setter or
getter.
Applicable PlatformsLanguage: Java
Time Of Introduction
Common Consequences
Scope | Technical Impact | Notes |
---|
IntegrityConfidentiality | Modify application
dataRead application
data | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Implementation | | Make all fields private. Use getter to get the value of the field.
Setter should be used only by the framework; setting an action form
field from other actions is bad practice and should be avoided. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-608 ChildOf CWE-897 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In the following Java example the class RegistrationForm is a Struts
framework ActionForm Bean that will maintain user input data from a
registration webpage for a online business site. The user will enter
registration data and through the Struts framework the RegistrationForm bean
will maintain the user data.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
Anonymous Tool Vendor (under NDA) | | | |
References:None