CWE-108: Struts: Unvalidated Action Form
Every Action Form must have a corresponding validation form.
View on MITREExtended Description
If a Struts Action Form Mapping specifies a form, it must have a validation form defined under the Struts Validator.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
If an action form mapping does not have a validation form defined, it may be vulnerable to a number of attacks that rely on unchecked input. Unchecked input is the root cause of some of today's worst and most common software security problems. Cross-site scripting, SQL injection, and process control vulnerabilities all stem from incomplete or absent input validation.
Scope
Impact
Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.
Mitigation Strategies
Phase
Description
Map every Action Form to a corresponding validation form. An action or a form may perform validation in other ways, but the Struts Validator provides an excellent way to verify that all input receives at least a basic level of validation. Without this approach, it is difficult, and often impossible, to establish with a high level of confidence that all input is validated.
Strategy
Input ValidationDetection Methods
No detection method information available for this CWE.
Code Examples & CVEs
No examples or observed CVEs available for this CWE.
CWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-108: Struts: Unvalidated Action Form?+
CWE-108: Struts: Unvalidated Action Form is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Every Action Form must have a corresponding validation form. If a Struts Action Form Mapping specifies a form, it must have a validation form defined under the Struts Validator.
What are the security consequences of Struts: Unvalidated Action Form?+
If exploited, CWE-108 (Struts: Unvalidated Action Form) it can compromise Other, Confidentiality, Integrity and Availability, leading to outcomes such as Other.
How do you prevent or mitigate Struts: Unvalidated Action Form?+
Recommended mitigations for CWE-108 include: Map every Action Form to a corresponding validation form. An action or a form may perform validation in other ways, but the Struts Validator provides an excellent way to verify that all input receives at least a basic level of validation. Without this approach, it is difficult, and often impossible, to establish with a high level of confidence that all input is validated.
Which programming languages are affected by Struts: Unvalidated Action Form?+
CWE-108 commonly affects Java. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-108 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.