Struts: Duplicate Validation Forms |
Weakness ID: 102 (Weakness Variant) | Status: Incomplete |
Description Summary
Extended Description
If two validation forms have the same name, the Struts Validator arbitrarily chooses one of the forms to use for input validation and discards the other. This decision might not correspond to the programmer's expectations, possibly leading to resultant weaknesses. Moreover, it indicates that the validation logic is not up-to-date, and can indicate that other, more subtle validation errors are present.
Scope | Effect |
---|---|
Confidentiality Integrity Availability | If a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack. |
Example 1
Two validation forms with the same name.
It is critically important that validation logic be maintained and kept in sync with the rest of the application.
Phase: Implementation The DTD or schema validation will not catch the duplicate occurrence of the same form name. To find the issue in the implementation, manual checks or automated static analysis could be applied to the xml configuration files. |
Unchecked input is the root cause of some of today's worst and most common software security problems. Cross-site scripting, SQL injection, and process control vulnerabilities can all stem from incomplete or absent input validation. |
Ordinality | Description |
---|---|
Primary | (where the weakness exists independent of other weaknesses) |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 20 | Improper Input Validation | Seven Pernicious Kingdoms (primary)700 |
ChildOf | Category | 101 | Struts Validation Problems | Development Concepts (primary)699 |
ChildOf | Weakness Base | 694 | Use of Multiple Resources with Duplicate Identifier | Research Concepts (primary)1000 |
ChildOf | Category | 722 | OWASP Top Ten 2004 Category A1 - Unvalidated Input | Weaknesses in OWASP Top Ten (2004) (primary)711 |
PeerOf | Weakness Class | 675 | Duplicate Operations on Resource | Research Concepts1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
7 Pernicious Kingdoms | Struts: Duplicate Validation Forms |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
7 Pernicious Kingdoms | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Demonstrative Example, Potential Mitigations, Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Other Notes, Taxonomy Mappings, Weakness Ordinalities | ||||
2008-10-14 | CWE Content Team | MITRE | Internal | |
updated Description, Other Notes, Potential Mitigations | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-07-27 | CWE Content Team | MITRE | Internal | |
updated Demonstrative Examples | ||||
2009-12-28 | CWE Content Team | MITRE | Internal | |
updated Background Details, Common Consequences, Other Notes |