CWE-103: Struts: Incomplete validate() Method Definition
The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().
View on MITREExtended Description
If the code does not call super.validate(), the Validation Framework cannot check the contents of the form against a validation form. In other words, the validation framework will be disabled for the given form.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Disabling the validation framework for a form exposes the product to numerous types of attacks. Unchecked input is the root cause of vulnerabilities like cross-site scripting, process control, and SQL injection.
Scope
Impact
Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.
Mitigation Strategies
Phase
Description
Implement the validate() method and call super.validate() within that method.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and the RegistrationForm bean in the Struts framework will maintain the user data. Tthe RegistrationForm class implements the validate method to validate the user input entered into the form.
Although the validate method is implemented in this example the method does not call the validate method of the ValidatorForm parent class with a call super.validate(). Without the call to the parent validator class only the custom validation will be performed and the default validation will not be performed. The following example shows that the validate method of the ValidatorForm class is called within the implementation of the validate method.
In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and the RegistrationForm bean in the Struts framework will maintain the user data. Tthe RegistrationForm class implements the validate method to validate the user input entered into the form.
Although the validate method is implemented in this example the method does not call the validate method of the ValidatorForm parent class with a call super.validate(). Without the call to the parent validator class only the custom validation will be performed and the default validation will not be performed. The following example shows that the validate method of the ValidatorForm class is called within the implementation of the validate method.
CWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-103: Struts: Incomplete validate() Method Definition?+
CWE-103: Struts: Incomplete validate() Method Definition is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate(). If the code does not call super.validate(), the Validation Framework cannot check the contents of the form against a validation form. In other words, the validation framework will be disabled for the given form.
What are the security consequences of Struts: Incomplete validate() Method Definition?+
If exploited, CWE-103 (Struts: Incomplete validate() Method Definition) it can compromise Other, Confidentiality, Integrity and Availability, leading to outcomes such as Other.
How do you prevent or mitigate Struts: Incomplete validate() Method Definition?+
Recommended mitigations for CWE-103 include: Implement the validate() method and call super.validate() within that method.
Which programming languages are affected by Struts: Incomplete validate() Method Definition?+
CWE-103 commonly affects Java. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-103 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.