Führe statische Analyse (SAST) auf der Codebasis aus und suche im Datenfluss nach dem unsicheren Muster.
CWE-107 Variant Draft
Struts: Unused Validation Form
This vulnerability occurs when a Struts application contains validation form definitions that are no longer linked to any active form or action, leaving outdated security rules in the codebase.
Definition
What is CWE-107?
This vulnerability occurs when a Struts application contains validation form definitions that are no longer linked to any active form or action, leaving outdated security rules in the codebase.
In Struts frameworks, validation logic is often tied to specific form or action mappings. When developers rename or remove these mappings during refactoring, they can easily overlook the corresponding validation forms. These orphaned validation rules remain in the configuration files, creating a false sense of security and cluttering the code with dead logic.
This situation is problematic because it indicates that the application's validation layer is not being properly maintained. Attackers may exploit the gap between the actual form processing and the intended validation rules, potentially bypassing client-side or server-side checks. Regularly auditing and removing unused validation forms is essential to keep security configurations accurate and effective.
Auswirkungen in der Praxis
Real-world CVEs caused by CWE-107
Bisher sind in MITREs Katalog keine öffentlichen CVE-Referenzen mit dieser CWE verknüpft.
Wie Angreifer es ausnutzen
Angreiferpfad Schritt für Schritt
- 1
In the following example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml.
- 2
However, the validator XML file, validator.xml, for the RegistrationForm class includes the validation form for the user input form field "phone" that is no longer used by the input form and the RegistrationForm class. Any validation forms that are no longer required should be removed from the validator XML file, validator.xml.
- 3
The existence of unused forms may be an indication to attackers that this code is out of date or poorly maintained.
Verwundbares Codebeispiel
Vulnerable Java
In the following example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml.
public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {
```
// private variables for registration form*
private String name;
private String address;
private String city;
private String state;
private String zipcode;
*// no longer using the phone form field*
*// private String phone;*
private String email;
public RegistrationForm() {
```
super();
}
```
// getter and setter methods for private variables*
...} Sicheres Codebeispiel
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste
How to prevent CWE-107
- Implementation Remove the unused Validation Form from the validation.xml file.
Erkennungssignale
How to detect CWE-107
Führe dynamische Application-Security-Tests gegen den Live-Endpoint aus.
Beobachte Runtime-Logs auf ungewöhnliche Exception-Traces, fehlerhafte Eingaben oder Versuche, Autorisierung zu umgehen.
Code Review: Markiere jeden neuen Code, der Eingaben von dieser Oberfläche ohne validierte Framework-Helper verarbeitet.
Plexicus erkennt CWE-107 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.
Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.
Häufig gestellte Fragen Was ist CWE-107?
Wie gravierend ist CWE-107?
Welche Sprachen oder Plattformen sind von CWE-107 betroffen?
Wie kann ich CWE-107 verhindern?
Wie erkennt und behebt Plexicus CWE-107?
Wo erfahre ich mehr über CWE-107?
Frequently asked questions
Was ist CWE-107?
This vulnerability occurs when a Struts application contains validation form definitions that are no longer linked to any active form or action, leaving outdated security rules in the codebase.
Wie gravierend ist CWE-107?
MITRE hat für diese Schwachstelle keine Exploit-Wahrscheinlichkeit veröffentlicht. Behandle sie als mittlere Auswirkung, bis dein Threat Model anderes belegt.
Welche Sprachen oder Plattformen sind von CWE-107 betroffen?
MITRE lists the following affected platforms: Java.
Wie kann ich CWE-107 verhindern?
Remove the unused Validation Form from the validation.xml file.
Wie erkennt und behebt Plexicus CWE-107?
Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-107 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.
Wo erfahre ich mehr über CWE-107?
MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/107.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.
Verwandte Schwachstellen
Weaknesses related to CWE-107
CWE-1164 Parent
Irrelevant Code
Irrelevant code refers to sections of a program that have no impact on its execution, data, or logic. Removing this code would not change…
CWE-1071 Sibling
Empty Code Block
An empty code block occurs when a section of source code, such as a conditional statement or function body, contains no executable…
CWE-110 Sibling
Struts: Validator Without Form Field
This vulnerability occurs when a Struts application's validation configuration file references form fields that no longer exist in the…
CWE-561 Sibling
Dead Code
Dead code refers to sections of a program that can never run during normal execution, effectively making them inactive and unreachable.
CWE-563 Sibling
Assignment to Variable without Use
This vulnerability occurs when a value is stored in a variable, but that variable is never read or used in subsequent code, creating a…
Ressourcen
Further reading
- MITRE — offizielle CWE-107 https://cwe.mitre.org/data/definitions/107.html
- Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
Bereit, wenn du es bist
Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.
Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.