Struts: Validator Turned Off

Draft Variant

Structure: Simple

Description

Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.

Common Consequences 1

Scope: Access Control

Impact: Bypass Protection Mechanism

Potential Mitigations 1

Phase: Implementation

Ensure that an action form mapping enables validation. Set the validate field to true.

Demonstrative Examples 1

This mapping defines an action for a download form:

Code Example:Bad
XML
xml

This mapping has disabled validation. Disabling validation exposes this action to numerous types of attacks.

References 1

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors

Katrina Tsipenyuk, Brian Chess, and Gary McGraw

NIST Workshop on Software Security Assurance Tools Techniques and Metrics • NIST

07-11-2005

https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf

ID: REF-6

Applicable Platforms

Languages:

Java : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Improper Use of Validation Framework (CWE-1173)

ChildOf:

Improper Input Validation (CWE-20)

Taxonomy Mapping

7 Pernicious Kingdoms
Software Fault Patterns

Notes

OtherThe Action Form mapping in the demonstrative example disables the form's validate() method. The Struts bean: write tag automatically encodes special HTML characters, replacing a < with "<" and a > with ">". This action can be disabled by specifying filter="false" as an attribute of the tag to disable specified JSP pages. However, being disabled makes these pages susceptible to cross-site scripting attacks. An attacker may be able to insert malicious scripts as user input to write to these JSP pages.