Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.

How do you prevent CWE-109?

Ensure that an action form mapping enables validation. Set the validate field to true.

What are the consequences of CWE-109?

Exploiting CWE-109 can lead to: Bypass Protection Mechanism.

CWE-109: Struts: Validator Turned Off

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

This mapping defines an action for a download form:

Vulnerable example

xml

<action path="/download"

This mapping has disabled validation. Disabling validation exposes this action to numerous types of attacks.

CWE-109: Struts: Validator Turned Off

Overview

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

Code examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-109?

How do you prevent CWE-109?

What are the consequences of CWE-109?

References

Stay ahead of CWE-109

Overview

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

Code examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-109?

How do you prevent CWE-109?

What are the consequences of CWE-109?

References

Stay ahead of CWE-109