Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.
Time of Introduction
Implementation
Applicable Platforms
Languages
Java
Common Consequences
Scope
Effect
Access Control
Technical Impact: Bypass protection
mechanism
Demonstrative Examples
Example 1
An action form mapping that disables validation. Disabling
validation exposes this action to numerous types of attacks.
(Bad Code)
Example
Language: XML
<action path="/download"
type="com.website.d2.action.DownloadAction"
name="downloadForm"
scope="request"
input=".download"
validate="false">
</action>
Potential Mitigations
Phase: Implementation
Ensure that an action form mapping enables validation. Set the
validate field to true.
Other Notes
The Action Form mapping in the demonstrative example disables the form's
validate() method. The Struts bean: write tag automatically encodes special
HTML characters, replacing a < with "<" and a >
with ">". This action can be disabled by specifying
filter="false" as an attribute of the tag to disable specified JSP pages.
However, being disabled makes these pages susceptible to cross-site
scripting attacks. An attacker may be able to insert malicious scripts as
user input to write to these JSP pages.
Weakness Ordinalities
Ordinality
Description
Primary
(where
the weakness exists independent of other weaknesses)