|
|
|
|
CWE-109 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Draft 109 (Weakness Variant) | | Description | Summary Automatic filtering via a Struts bean has been turned off, which disables the Struts
Validator and custom validation logic. This exposes the application to other weaknesses related to
insufficient input validation. | | Weakness Ordinality | Primary (Weakness exists independent of other weaknesses) | | Causal Nature | Explicit (This is an explicit weakness resulting from behavior of the developer) | | Potential Mitigations | Ensure that an action form mapping enables validation. | Demonstrative Examples | An action form mapping that disables validation. <action path="/download" type="com.website.d2.action.DownloadAction" name="downloadForm" scope="request" input=".download" validate="false"> </action> Disabling validation exposes this action to numerous types of attacks. Unchecked
input is the root cause of vulnerabilities like cross-site scripting, process control, and
SQL injection. Although J2EE applications are not generally susceptible to memory
corruption attacks, if a J2EE application interfaces with native code that does not
perform array bounds checking, an attacker may be able to use an input validation mistake
in the J2EE application to launch a buffer overflow attack. | | Context Notes | The Action Form mapping in the demonstrative example disables the form's validate()
method. The Struts bean: write tag automatically filters special HTML characters, replacing a
< with < and a > with >. This action can be disabled by
specifying filter="false" as an attribute of the tag to disable specified JSP pages. However,
being disabled makes these pages susceptible to cross-site scripting attacks. An attacker may be
able to insert malicious scripts as user input to write to these JSP pages. | | Relationships | | | Source Taxonomies | 7 Pernicious Kingdoms - Struts: Validator Turned Off | | Applicable Platforms | Java |
|