CWE-103: Struts: Incomplete validate() Method Definition
The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().
Last updated
Overview
CWE-103 (Struts: Incomplete validate() Method Definition) is a variant-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Background
The Struts Validator uses a form's validate() method to check the contents of the form properties against the constraints specified in the associated validation form. That means the following classes have a validate() method that is part of the validation framework: ValidatorForm, ValidatorActionForm, DynaValidatorForm, and DynaValidatorActionForm. If the code creates a class that extends one of these classes, and if that class implements custom validation logic by overriding the validate() method, the code must call super.validate() in the validate() implementation.
Common consequences
What can happen when CWE-103 is exploited.
Unexpected State, Varies by Context
Affects: Other
If the code does not call super.validate(), the Validation Framework cannot check the contents of the form against a validation form. In other words, the validation framework will be disabled for the given form. Disabling the validation framework for a form exposes the product to numerous types of attacks.
Other
Affects: Confidentiality, Integrity, Availability, Other
Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.