The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.
Last updated
Omitting validation for even a single input field may give attackers the leeway they need to compromise the product. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.
What can happen when CWE-105 is exploited.
Unexpected State
Affects: Integrity
Bypass Protection Mechanism
Affects: Integrity
If unused fields are not validated, shared business logic in an action may allow attackers to bypass the validation checks that are performed for other uses of the form.
Typically introduced during these phases of the software lifecycle.
Languages
Practical mitigations for CWE-105, grouped by where in the lifecycle they apply.
Validate all form fields. If a field is unused, it is still important to constrain it so that it is empty or undefined.
Illustrative examples from MITRE showing how the weakness appears in code.
In the following example the Java class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml.
Resulting query
public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {Vulnerable example
<form-validation>Safe example
<form-validation>Common questions about CWE-105.
The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.
Validate all form fields. If a field is unused, it is still important to constrain it so that it is empty or undefined.
Exploiting CWE-105 can lead to: Unexpected State, Bypass Protection Mechanism.
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Get alerted the moment a new CWE-105 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.