|
|
Status: Incomplete Weakness ID: 108 (Weakness Variant)Description Summary Every Action Form must have a corresponding validation form. Weakness Ordinalities Primary (where the weakness exists independent of other weaknesses) Causal Nature Explicit (an explicit
weakness resulting from behavior of the developer) Potential Mitigations Map every Action Form to a corresponding validation form. Other Notes If a Struts Action Form Mapping specifies a form, it must have a validation form defined under the Struts Validator. If an action form mapping does not have a validation form defined, it may be vulnerable to a number of attacks that rely on unchecked input. Unchecked input is the root cause of some of today's worst and most common software security problems. Cross-site scripting, SQL injection, and process control vulnerabilities all stem from incomplete or absent input validation. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack. An action or a form may perform validation in other ways, but the Struts Validator provides an excellent way to verify that all input receives at least a basic level of checking. Without this approach, it is difficult, and often impossible, to establish with a high level of confidence that all input is validated. Relationships
Taxonomy Mappings
Applicable Platforms Languages Java Time of Introduction  ImplementationContent History Submissions 7 Pernicious Kingdoms. (Externally Mined) Modifications Eric Dalci. Cigital. 2008-07-01. (External) updated Potential_Mitigations, Time_of_Introduction CWE Content Team. MITRE. 2008-09-08. (Internal) updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities |
|
|
|||
