CWE-105: Struts: Form Field Without Validator
The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.
Last updated
Overview
Omitting validation for even a single input field may give attackers the leeway they need to compromise the product. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.
Common consequences
What can happen when CWE-105 is exploited.
Unexpected State
Affects: Integrity
Bypass Protection Mechanism
Affects: Integrity
If unused fields are not validated, shared business logic in an action may allow attackers to bypass the validation checks that are performed for other uses of the form.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
How to prevent it
Practical mitigations for CWE-105, grouped by where in the lifecycle they apply.