Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-108:Struts: Unvalidated Action Form
Weakness ID:108
Version:v4.17
Weakness Name:Struts: Unvalidated Action Form
Vulnerability Mapping:Allowed
Abstraction:Variant
Structure:Simple
Status:Incomplete
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

Every Action Form must have a corresponding validation form.

▼Extended Description

If a Struts Action Form Mapping specifies a form, it must have a validation form defined under the Struts Validator.

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfAllowedB1173Improper Use of Validation Framework
Nature: ChildOf
Mapping: Allowed
Type: Base
ID: 1173
Name: Improper Use of Validation Framework
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC990SFP Secondary Cluster: Tainted Input to Command
MemberOfProhibitedC1406Comprehensive Categorization: Improper Input Validation
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 990
Name: SFP Secondary Cluster: Tainted Input to Command
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1406
Name: Comprehensive Categorization: Improper Input Validation
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-279Input Validation Strategy
MemberOfProhibitedBSBOSS-312Other (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-279
Name: Input Validation Strategy
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-312
Name: Other (impact)
▼Relevant To View
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC990SFP Secondary Cluster: Tainted Input to Command
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 990
Name: SFP Secondary Cluster: Tainted Input to Command
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
OtherN/AOther

If an action form mapping does not have a validation form defined, it may be vulnerable to a number of attacks that rely on unchecked input. Unchecked input is the root cause of some of today's worst and most common software security problems. Cross-site scripting, SQL injection, and process control vulnerabilities all stem from incomplete or absent input validation.

ConfidentialityIntegrityAvailabilityOtherN/AOther

Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.

Scope: Other
Likelihood: N/A
Impact: Other
Note:

If an action form mapping does not have a validation form defined, it may be vulnerable to a number of attacks that rely on unchecked input. Unchecked input is the root cause of some of today's worst and most common software security problems. Cross-site scripting, SQL injection, and process control vulnerabilities all stem from incomplete or absent input validation.

Scope: Confidentiality, Integrity, Availability, Other
Likelihood: N/A
Impact: Other
Note:

Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.

▼Potential Mitigations
Phase:Implementation
Mitigation ID:
Strategy: Input Validation
Effectiveness:
Description:

Map every Action Form to a corresponding validation form.

An action or a form may perform validation in other ways, but the Struts Validator provides an excellent way to verify that all input receives at least a basic level of validation. Without this approach, it is difficult, and often impossible, to establish with a high level of confidence that all input is validated.

Note:

▼Modes Of Introduction
Phase: Implementation
Note:

N/A

▼Applicable Platforms
Languages
Class: Java(Undetermined Prevalence)
▼Demonstrative Examples
▼Observed Examples
ReferenceDescription
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      Primary
      N/A
      Ordinality: Primary
      Description:
      N/A
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      7 Pernicious KingdomsN/AN/AStruts: Unvalidated Action Form
      Software Fault PatternsSFP24N/ATainted input to command
      Taxonomy Name: 7 Pernicious Kingdoms
      Entry ID: N/A
      Fit: N/A
      Entry Name: Struts: Unvalidated Action Form
      Taxonomy Name: Software Fault Patterns
      Entry ID: SFP24
      Fit: N/A
      Entry Name: Tainted input to command
      ▼Related Attack Patterns
      IDName
      ▼References
      Reference ID: REF-6
      Title: Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
      Author: Katrina Tsipenyuk, Brian Chess, Gary McGraw
      Section:
      Publication:
      NIST Workshop on Software Security Assurance Tools Techniques and Metrics
      Publisher:NIST
      Edition:
      URL:https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
      URL Date:
      Day:07
      Month:11
      Year:2005
      Details not found