Automatic filtering via a Struts bean has been turned off,
which disables the Struts Validator and custom validation logic. This exposes
the application to other weaknesses related to insufficient input
validation.
Time of Introduction
Implementation
Applicable Platforms
Languages
Java
Demonstrative Examples
Example 1
An action form mapping that disables validation.
(Bad Code)
XML
<action path="/download"
type="com.website.d2.action.DownloadAction"
name="downloadForm"
scope="request"
input=".download"
validate="false">
</action>
Disabling validation exposes this action to numerous types of attacks.
Unchecked input is the root cause of vulnerabilities like cross-site
scripting, process control, and SQL injection. Although J2EE
applications are not generally susceptible to memory corruption attacks,
if a J2EE application interfaces with native code that does not perform
array bounds checking, an attacker may be able to use an input
validation mistake in the J2EE application to launch a buffer overflow
attack.
Potential Mitigations
Phase
Description
Ensure that an action form mapping enables validation. In the included
demonstrative example, the validate field should be set to true.
Other Notes
The Action Form mapping in the demonstrative example disables the form's
validate() method. The Struts bean: write tag automatically filters special
HTML characters, replacing a < with < and a > with
>. This action can be disabled by specifying filter="false" as an
attribute of the tag to disable specified JSP pages. However, being disabled
makes these pages susceptible to cross-site scripting attacks. An attacker
may be able to insert malicious scripts as user input to write to these JSP
pages.
Weakness Ordinalities
Ordinality
Description
Primary
(where the
weakness exists independent of other weaknesses)
Description
