Struts: Validator Turned Off

Description

This vulnerability occurs when an application built with Apache Struts intentionally disables its built-in validation framework. By turning off the Struts Validator bean, developers remove critical automatic input filtering and custom validation rules, leaving the application unprotected against malicious or malformed data.

Extended Description

The Struts Validator provides a crucial security layer by automatically checking and cleaning user input against predefined rules. When developers disable this feature—often to simplify form handling or bypass validation errors during development—they effectively strip the application of its primary defense against common injection attacks, cross-site scripting (XSS), and other input-based exploits. This creates a direct path for attackers to submit dangerous payloads. To prevent this, ensure the Struts Validator is always enabled in production environments. Instead of turning it off, properly configure validation rules in the `validation.xml` file and address any validation errors during development by refining the rules, not by disabling the security mechanism. Regularly audit Struts configuration files to confirm the Validator bean remains active and that all forms have appropriate validation logic defined.

Common Consequences 1

Scope: Access Control

Impact: Bypass Protection Mechanism

Potential Mitigations 1

Phase: Implementation

Ensure that an action form mapping enables validation. Set the validate field to true.

Demonstrative Examples 1

This mapping defines an action for a download form:

Code Example:Bad
XML
xml

This mapping has disabled validation. Disabling validation exposes this action to numerous types of attacks.

References 1

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors

Katrina Tsipenyuk, Brian Chess, and Gary McGraw

NIST Workshop on Software Security Assurance Tools Techniques and Metrics • NIST

07-11-2005

https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf

ID: REF-6

Applicable Platforms

Languages:

Java : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Improper Use of Validation Framework (CWE-1173)

ChildOf:

Improper Input Validation (CWE-20)

Taxonomy Mapping

7 Pernicious Kingdoms
Software Fault Patterns

Notes

OtherThe Action Form mapping in the demonstrative example disables the form's validate() method. The Struts bean: write tag automatically encodes special HTML characters, replacing a < with "<" and a > with ">". This action can be disabled by specifying filter="false" as an attribute of the tag to disable specified JSP pages. However, being disabled makes these pages susceptible to cross-site scripting attacks. An attacker may be able to insert malicious scripts as user input to write to these JSP pages.