CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.0.1)  
Search by ID:

CWE-108: Struts: Unvalidated Action Form

Individual Definition in a New Window
Struts: Unvalidated Action Form
Status: Incomplete
Weakness ID: 108 (Weakness Variant)
Description
Summary

Every Action Form must have a corresponding validation form.

Weakness Ordinalities
Primary (where the weakness exists independent of other weaknesses)
Causal Nature
Explicit (an explicit weakness resulting from behavior of the developer)
Potential Mitigations

Map every Action Form to a corresponding validation form.

Other Notes

If a Struts Action Form Mapping specifies a form, it must have a validation form defined under the Struts Validator. If an action form mapping does not have a validation form defined, it may be vulnerable to a number of attacks that rely on unchecked input. Unchecked input is the root cause of some of today's worst and most common software security problems. Cross-site scripting, SQL injection, and process control vulnerabilities all stem from incomplete or absent input validation. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack. An action or a form may perform validation in other ways, but the Struts Validator provides an excellent way to verify that all input receives at least a basic level of checking. Without this approach, it is difficult, and often impossible, to establish with a high level of confidence that all input is validated.

Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness ClassWeakness Class20Insufficient Input Validation
Seven Pernicious Kingdoms (primary)700
Research Concepts (primary)1000
ChildOfCategoryCategory101Struts Validation Problems
Development Concepts (primary)699
Taxonomy Mappings
Mapped Taxonomy NameMapped Node Name
7 Pernicious KingdomsStruts: Unvalidated Action Form
Applicable Platforms
Languages
Java
Time of Introduction
* Implementation
Content History
Submissions
7 Pernicious Kingdoms. (Externally Mined)
Modifications
Eric Dalci. Cigital. 2008-07-01. (External)
updated Potential_Mitigations, Time_of_Introduction
CWE Content Team. MITRE. 2008-09-08. (Internal)
updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities
Page Last Updated: October 16, 2008