CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-105: Struts: Form Field Without Validator

 
Struts: Form Field Without Validator
Weakness ID: 105 (Weakness Variant)Status: Draft
+ Description

Description Summary

The application has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.

Extended Description

Omitting validation for even a single input field may give attackers the leeway they need to compromise the application. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.

+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

Java

+ Modes of Introduction

Some applications use the same ActionForm for more than one purpose. In situations like this, some fields may go unused under some action mappings.

+ Common Consequences
ScopeEffect

Technical Impact: Unexpected state

Technical Impact: Bypass protection mechanism

If unused fields are not validated, shared business logic in an action may allow attackers to bypass the validation checks that are performed for other uses of the form.

+ Demonstrative Examples

Example 1

In the following example the Java class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml.

(Good Code)
 
public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {

// private variables for registration form
private String name;
private String address;
private String city;
private String state;
private String zipcode;
private String phone;
private String email;

public RegistrationForm() {
super();
}

// getter and setter methods for private variables
...
}

The validator XML file, validator.xml, provides the validation for the form fields of the RegistrationForm.

(Bad Code)
Example Language: XML 
<form-validation>
<formset>
<form name="RegistrationForm">
<field property="name" depends="required">
<arg position="0" key="prompt.name"/>
</field>
<field property="address" depends="required">
<arg position="0" key="prompt.address"/>
</field>
<field property="city" depends="required">
<arg position="0" key="prompt.city"/>
</field>
<field property="state" depends="required,mask">
<arg position="0" key="prompt.state"/>
<var>
<var-name>mask</var-name>
<var-value>[a-zA-Z]{2}</var-value>
</var>
</field>
<field property="zipcode" depends="required,mask">
<arg position="0" key="prompt.zipcode"/>
<var>
<var-name>mask</var-name>
<var-value>\d{5}</var-value>
</var>
</field>
</form>
</formset>
</form-validation>

However, in the previous example the validator XML file, validator.xml, does not provide validators for all of the form fields in the RegistrationForm. Validator forms are only provided for the first five of the seven form fields. The validator XML file should contain validator forms for all of the form fields for a Struts ActionForm bean. The following validator.xml file for the RegistrationForm class contains validator forms for all of the form fields.

(Good Code)
Example Language: XML 
<form-validation>
<formset>
<form name="RegistrationForm">
<field property="name" depends="required">
<arg position="0" key="prompt.name"/>
</field>
<field property="address" depends="required">
<arg position="0" key="prompt.address"/>
</field>
<field property="city" depends="required">
<arg position="0" key="prompt.city"/>
</field>
<field property="state" depends="required,mask">
<arg position="0" key="prompt.state"/>
<var>
<var-name>mask</var-name>
<var-value>[a-zA-Z]{2}</var-value>
</var>
</field>
<field property="zipcode" depends="required,mask">
<arg position="0" key="prompt.zipcode"/>
<var>
<var-name>mask</var-name>
<var-value>\d{5}</var-value>
</var>
</field>
<field property="phone" depends="required,mask">
<arg position="0" key="prompt.phone"/>
<var>
<var-name>mask</var-name>
<var-value>^([0-9]{3})(-)([0-9]{4}|[0-9]{4})$</var-value>
</var>
</field>
<field property="email" depends="required,email">
<arg position="0" key="prompt.email"/>
</field>
</form>
</formset>
</form-validation>
+ Potential Mitigations

Phase: Implementation

Ensure that you validate all form fields. If a field is unused, it is still important to constrain it so that it is empty or undefined.

+ Weakness Ordinalities
OrdinalityDescription
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class20Improper Input Validation
Seven Pernicious Kingdoms (primary)700
Research Concepts (primary)1000
ChildOfCategoryCategory101Struts Validation Problems
Development Concepts (primary)699
ChildOfCategoryCategory896SFP Cluster: Tainted Input
Software Fault Pattern (SFP) Clusters (primary)888
+ Causal Nature

Explicit

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
7 Pernicious KingdomsStruts: Form Field Without Validator
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01CigitalExternal
updated Time_of_Introduction
2008-09-08MITREInternal
updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2010-06-21MITREInternal
updated Demonstrative_Examples
2011-06-01MITREInternal
updated Common_Consequences
2011-06-27MITREInternal
updated Common_Consequences
2012-05-11MITREInternal
updated Relationships
2012-10-30MITREInternal
updated Potential_Mitigations
2014-06-23MITREInternal
updated Common_Consequences, Description, Modes_of_Introduction, Other_Notes
Page Last Updated: June 23, 2014