CWE-104: Struts: Form Bean Does Not Extend Validation Class
If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.
View on MITRETechnical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Bypassing the validation framework for a form exposes the application to numerous types of attacks. Unchecked input is an important component of vulnerabilities like cross-site scripting, process control, and SQL injection.
Scope
Impact
Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.
Mitigation Strategies
Phase
Description
Ensure that all forms extend one of the Validation Classes.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user information from a registration webpage for an online business site. The user will enter registration data and through the Struts framework the RegistrationForm bean will maintain the user data.
However, the RegistrationForm class extends the Struts ActionForm class which does not allow the RegistrationForm class to use the Struts validator capabilities. When using the Struts framework to maintain user data in an ActionForm Bean, the class should always extend one of the validator classes, ValidatorForm, ValidatorActionForm, DynaValidatorForm or DynaValidatorActionForm. These validator classes provide default validation and the validate method for custom validation for the Bean object to use for validating input data. The following Java example shows the RegistrationForm class extending the ValidatorForm class and implementing the validate method for validating input data.
In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user information from a registration webpage for an online business site. The user will enter registration data and through the Struts framework the RegistrationForm bean will maintain the user data.
However, the RegistrationForm class extends the Struts ActionForm class which does not allow the RegistrationForm class to use the Struts validator capabilities. When using the Struts framework to maintain user data in an ActionForm Bean, the class should always extend one of the validator classes, ValidatorForm, ValidatorActionForm, DynaValidatorForm or DynaValidatorActionForm. These validator classes provide default validation and the validate method for custom validation for the Bean object to use for validating input data. The following Java example shows the RegistrationForm class extending the ValidatorForm class and implementing the validate method for validating input data.
CWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-104: Struts: Form Bean Does Not Extend Validation Class?+
CWE-104: Struts: Form Bean Does Not Extend Validation Class is a Common Weakness Enumeration (CWE) entry maintained by MITRE. If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.
What are the security consequences of Struts: Form Bean Does Not Extend Validation Class?+
If exploited, CWE-104 (Struts: Form Bean Does Not Extend Validation Class) it can compromise Other, Confidentiality, Integrity and Availability, leading to outcomes such as Other.
How do you prevent or mitigate Struts: Form Bean Does Not Extend Validation Class?+
Recommended mitigations for CWE-104 include: Ensure that all forms extend one of the Validation Classes.
Which programming languages are affected by Struts: Form Bean Does Not Extend Validation Class?+
CWE-104 commonly affects Java. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-104 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.