CWE-104: Struts: Form Bean Does Not Extend Validation Class
If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.
Last updated
Overview
CWE-104 (Struts: Form Bean Does Not Extend Validation Class) is a variant-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Background
In order to use the Struts Validator, a form must extend one of the following: ValidatorForm, ValidatorActionForm, DynaValidatorActionForm, and DynaValidatorForm. One of these classes must be extended because the Struts Validator ties in to the application by implementing the validate() method in these classes. Forms derived from the ActionForm and DynaActionForm classes cannot use the Struts Validator.
Common consequences
What can happen when CWE-104 is exploited.
Other
Affects: Other
Bypassing the validation framework for a form exposes the application to numerous types of attacks. Unchecked input is an important component of vulnerabilities like cross-site scripting, process control, and SQL injection.
Other
Affects: Confidentiality, Integrity, Availability, Other
Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
How to prevent it
Practical mitigations for CWE-104, grouped by where in the lifecycle they apply.
Ensure that all forms extend one of the Validation Classes.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user information from a registration webpage for an online business site. The user will enter registration data and through the Struts framework the RegistrationForm bean will maintain the user data.
Vulnerable example
public class RegistrationForm extends org.apache.struts.action.ActionForm {Safe example
public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {Terminology & mappings
Mapped taxonomies
- 7 Pernicious Kingdoms: Struts: Form Bean Does Not Extend Validation Class
- Software Fault Patterns: Tainted input to command (SFP24)
Frequently asked questions
Common questions about CWE-104.
- What is CWE-104?
- If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.
- How do you prevent CWE-104?
- Ensure that all forms extend one of the Validation Classes.
- How is CWE-104 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-104?
- Exploiting CWE-104 can lead to: Other.
References
- MITRE CWE definition (CWE-104) (opens in a new tab)
- CWE-104 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-104
Get alerted the moment a new CWE-104 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.