Rule Definition
Struts validation framework allows preventing the application from any type of attacks based on invalid field input. To enable this framework on Struts Form, Struts Form must extend Struts Validation class. Unchecked input is the root cause of vulnerabilities like cross-site scripting, process control, and SQL injection. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.
Remediation
Extend these classes with one of these classes:
org.apache.struts.validator.ValidatorForm
org.apache.struts.validator.ValidatorActionForm
org.apache.struts.validator.DynaValidatorForm
org.apache.struts.validator.DynaValidatorActionForm
Violation Code Sample
public class MyClassForm extends ActionForm { // VIOLATION validate not overriden }
Fixed Code Sample
public class MyClassForm extends ValidatorForm { public void validate() { // NO VIOLATION because you subclass ValidatorForm and you override validate method } }
Reference
http://cwe.mitre.org/documents/sources/SevenPerniciousKingdoms.pdf
http://cwe.mitre.org/data/definitions/104.html
Related Technologies
JEE
Technical Criterion
OWASP-2017-A6 - Security Misconfiguration
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.