VariantDraft

CWE-105Struts: Form Field Without Validator

Category: other

Description

The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation. Omitting validation for even a single input field may give attackers the leeway they need to compromise the product. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.

Common consequences· 2

  • Integrity — Unexpected State
  • Integrity — Bypass Protection Mechanism
    If unused fields are not validated, shared business logic in an action may allow attackers to bypass the validation checks that are performed for other uses of the form.

Potential mitigations· 1

  • [Implementation]Validate all form fields. If a field is unused, it is still important to constrain it so that it is empty or undefined.

References

  1. https://cwe.mitre.org/data/definitions/105.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Struts: Plug-in Framework not in Use
CWE
Struts: Validator Turned Off
CWE
Struts: Incomplete validate() Method Definition
CWE
Struts: Unused Validation Form
CWE
Struts: Duplicate Validation Forms
CWE
Struts: Unvalidated Action Form
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.