Struts: Incomplete validate() Method Definition |
Weakness ID: 103 (Weakness Variant) | Status: Draft |
Description Summary
Extended Description
If you do not call super.validate(), the Validation Framework cannot check the contents of the form against a validation form. In other words, the validation framework will be disabled for the given form.
Scope | Effect |
---|---|
Disabling the validation framework for a form exposes the application to numerous types of attacks. Unchecked input is the root cause of vulnerabilities like cross-site scripting, process control, and SQL injection. | |
Confidentiality Integrity Availability | Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack. |
The Struts Validator uses a form's validate() method to check the contents of the form properties against the constraints specified in the associated validation form. That means the following classes have a validate() method that is part of the validation framework: ValidatorForm, ValidatorActionForm, DynaValidatorForm, and DynaValidatorActionForm. If you create a class that extends one of these classes, and if your class implements custom validation logic by overriding the validate() method, you must call super.validate() in your validate() implementation. |
Ordinality | Description |
---|---|
Primary | (where the weakness exists independent of other weaknesses) |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 20 | Improper Input Validation | Seven Pernicious Kingdoms (primary)700 |
ChildOf | Category | 101 | Struts Validation Problems | Development Concepts (primary)699 |
ChildOf | Weakness Class | 573 | Failure to Follow Specification | Research Concepts (primary)1000 |
ChildOf | Category | 722 | OWASP Top Ten 2004 Category A1 - Unvalidated Input | Weaknesses in OWASP Top Ten (2004) (primary)711 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
7 Pernicious Kingdoms | Struts: Erroneous validate() Method |
The current description implies a loose composite of two separate weaknesses, so this node might need to be split or converted into a low-level category. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
7 Pernicious Kingdoms | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Potential Mitigations, Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Other Notes, Taxonomy Mappings, Weakness Ordinalities | ||||
2008-10-14 | CWE Content Team | MITRE | Internal | |
updated Description, Maintenance Notes | ||||
2008-11-24 | CWE Content Team | MITRE | Internal | |
updated Background Details, Common Consequences, Description, Other Notes, Relationship Notes | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-12-28 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Other Notes |