[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

251139

 
 

909

 
 

196159

 
 

282

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Struts: Form Bean Does Not Extend Validation Class

ID: 104Date: (C)2012-05-14   (M)2022-10-10
Type: weaknessStatus: DRAFT
Abstraction Type: Variant





Description

If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.

Applicable Platforms
Language: Java

Time Of Introduction

  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Other
 
Other
 
Bypassing the validation framework for a form exposes the application to numerous types of attacks. Unchecked input is an important component of vulnerabilities like cross-site scripting, process control, and SQL injection.
 
Confidentiality
Integrity
Availability
Other
 
Other
 
Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 
 Ensure that all forms extend one of the Validation Classes.
 
  

Relationships

Related CWETypeViewChain
CWE-104 ChildOf CWE-896 Category CWE-888  

Demonstrative Examples   (Details)

  1. In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user information from a registration webpage for an online business site. The user will enter registration data and through the Struts framework the RegistrationForm bean will maintain the user data.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
7 Pernicious Kingdoms  Struts: Form Bean Does Not Extend Validation Class
 
 

References:
None

© SecPod Technologies