VariantDraft

CWE-104Struts: Form Bean Does Not Extend Validation Class

Category: other

Description

If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.

Common consequences· 2

  • Other — Other
    Bypassing the validation framework for a form exposes the application to numerous types of attacks. Unchecked input is an important component of vulnerabilities like cross-site scripting, process control, and SQL injection.
  • Confidentiality / Integrity / Availability / Other — Other
    Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.

Potential mitigations· 1

  • [Implementation]Ensure that all forms extend one of the Validation Classes.

References

  1. https://cwe.mitre.org/data/definitions/104.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Struts: Unvalidated Action Form
CWE
Struts: Plug-in Framework not in Use
CWE
Struts: Validator Without Form Field
CWE
Struts: Non-private Field in ActionForm Class
CWE
Struts: Incomplete validate() Method Definition
CWE
Struts: Validator Turned Off
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.