Struts: Unvalidated Action Form
In Apache Struts, every Action Form that processes user input must have a corresponding validation form configured. Missing this validation exposes the application to unvalidated data.
This vulnerability occurs when a Struts configuration maps an Action Form but fails to link it to a validation form via the Struts Validator framework. Without this link, user-submitted data flows directly into your application logic and backend systems without any automatic checks, making it a prime target for injection attacks and data corruption. To fix this, you must ensure that for every `<action>` mapping that specifies a `name` attribute (pointing to a form bean), a corresponding validation rule is defined in the `validation.xml` file. This setup enforces that all input meets your defined criteria before the associated Action class executes, closing a critical security gap in your request handling pipeline.
Impact: Other
If an action form mapping does not have a validation form defined, it may be vulnerable to a number of attacks that rely on unchecked input. Unchecked input is the root cause of some of today's worst and most common software security problems. Cross-site scripting, SQL injection, and process control vulnerabilities all stem from incomplete or absent input validation.
Impact: Other
Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.
Strategy: Input Validation
- 7 Pernicious Kingdoms
- Software Fault Patterns