CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-109: Struts: Validator Turned Off

 
Struts: Validator Turned Off
Weakness ID: 109 (Weakness Variant)Status: Draft
+ Description

Description Summary

Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.
+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

Java

+ Common Consequences
ScopeEffect

Technical Impact: Bypass protection mechanism

+ Demonstrative Examples

Example 1

An action form mapping that disables validation. Disabling validation exposes this action to numerous types of attacks.

(Bad Code)
Example Language: XML 
<action path="/download"
type="com.website.d2.action.DownloadAction"
name="downloadForm"
scope="request"
input=".download"
validate="false">
</action>
+ Potential Mitigations

Phase: Implementation

Ensure that an action form mapping enables validation. Set the validate field to true.

+ Other Notes

The Action Form mapping in the demonstrative example disables the form's validate() method. The Struts bean: write tag automatically encodes special HTML characters, replacing a < with "&lt;" and a > with "&gt;". This action can be disabled by specifying filter="false" as an attribute of the tag to disable specified JSP pages. However, being disabled makes these pages susceptible to cross-site scripting attacks. An attacker may be able to insert malicious scripts as user input to write to these JSP pages.

+ Weakness Ordinalities
OrdinalityDescription
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class20Improper Input Validation
Seven Pernicious Kingdoms (primary)700
Research Concepts (primary)1000
ChildOfCategoryCategory101Struts Validation Problems
Development Concepts (primary)699
ChildOfCategoryCategory722OWASP Top Ten 2004 Category A1 - Unvalidated Input
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfCategoryCategory896SFP Cluster: Tainted Input
Software Fault Pattern (SFP) Clusters (primary)888
+ Causal Nature

Explicit

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
7 Pernicious KingdomsStruts: Validator Turned Off
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01CigitalExternal
updated Potential_Mitigations, Time_of_Introduction
2008-09-08MITREInternal
updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2009-03-10MITREInternal
updated Relationships
2009-07-27MITREInternal
updated Demonstrative_Examples
2010-06-21MITREInternal
updated Other_Notes
2011-03-29MITREInternal
updated Demonstrative_Examples
2011-06-01MITREInternal
updated Common_Consequences
2012-05-11MITREInternal
updated Relationships
2012-10-30MITREInternal
updated Potential_Mitigations
2013-07-17MITREInternal
updated Relationships
Page Last Updated: June 23, 2014