Ejecuta análisis estático (SAST) sobre el código buscando el patrón inseguro en el flujo de datos.
CWE-105 Variante Borrador
Struts: Form Field Without Validator
This vulnerability occurs when a Struts application form contains an input field that lacks a corresponding validator, leaving it open to unverified user input.
Definición
What is CWE-105?
This vulnerability occurs when a Struts application form contains an input field that lacks a corresponding validator, leaving it open to unverified user input.
Leaving even one form field without validation creates a direct opening for attackers. They can exploit this oversight to inject malicious data, bypass security checks, or manipulate application logic, potentially leading to data breaches, unauthorized access, or system compromise.
While Java applications themselves are often protected from low-level memory issues, the risk escalates if the application interacts with native code or external systems. An attacker could use this unvalidated input as an entry point to trigger buffer overflows or other critical vulnerabilities in those connected components, turning a simple input oversight into a severe chained attack.
Impacto en el mundo real
Real-world CVEs caused by CWE-105
Todavía no hay CVEs públicos enlazados a esta CWE en el catálogo de MITRE.
Cómo lo explotan los atacantes
Ruta del atacante paso a paso
- 1
In the following example the Java class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml.
- 2
The validator XML file, validator.xml, provides the validation for the form fields of the RegistrationForm.
- 3
However, in the previous example the validator XML file, validator.xml, does not provide validators for all of the form fields in the RegistrationForm. Validator forms are only provided for the first five of the seven form fields. The validator XML file should contain validator forms for all of the form fields for a Struts ActionForm bean. The following validator.xml file for the RegistrationForm class contains validator forms for all of the form fields.
Ejemplo de código vulnerable
Vulnerable XML
The validator XML file, validator.xml, provides the validation for the form fields of the RegistrationForm.
<form-validation>
<formset>
<form name="RegistrationForm">
<field property="name" depends="required">
<arg position="0" key="prompt.name"/>
</field>
<field property="address" depends="required">
<arg position="0" key="prompt.address"/>
</field>
<field property="city" depends="required">
<arg position="0" key="prompt.city"/>
</field>
<field property="state" depends="required,mask">
<arg position="0" key="prompt.state"/>
<var>
<var-name>mask</var-name>
<var-value>[a-zA-Z]{2}</var-value>
</var>
</field>
<field property="zipcode" depends="required,mask">
<arg position="0" key="prompt.zipcode"/>
<var>
<var-name>mask</var-name>
<var-value>\d{5}</var-value>
</var>
</field>
</form>
</formset>
</form-validation> Ejemplo de código seguro
Secure XML
However, in the previous example the validator XML file, validator.xml, does not provide validators for all of the form fields in the RegistrationForm. Validator forms are only provided for the first five of the seven form fields. The validator XML file should contain validator forms for all of the form fields for a Struts ActionForm bean. The following validator.xml file for the RegistrationForm class contains validator forms for all of the form fields.
<form-validation>
<formset>
<form name="RegistrationForm">
<field property="name" depends="required">
<arg position="0" key="prompt.name"/>
</field>
<field property="address" depends="required">
<arg position="0" key="prompt.address"/>
</field>
<field property="city" depends="required">
<arg position="0" key="prompt.city"/>
</field>
<field property="state" depends="required,mask">
<arg position="0" key="prompt.state"/>
<var>
<var-name>mask</var-name>
<var-value>[a-zA-Z]{2}</var-value>
</var>
</field>
<field property="zipcode" depends="required,mask">
<arg position="0" key="prompt.zipcode"/>
<var>
<var-name>mask</var-name>
<var-value>\d{5}</var-value>
</var>
</field>
<field property="phone" depends="required,mask">
<arg position="0" key="prompt.phone"/>
<var>
<var-name>mask</var-name>
<var-value>^([0-9]{3})(-)([0-9]{4}|[0-9]{4})$</var-value>
</var>
</field>
<field property="email" depends="required,email">
<arg position="0" key="prompt.email"/>
</field>
</form>
</formset>
</form-validation> What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención
How to prevent CWE-105
- Implementation Validate all form fields. If a field is unused, it is still important to constrain it so that it is empty or undefined.
Señales de detección
How to detect CWE-105
Ejecuta pruebas dinámicas de seguridad de aplicaciones (DAST) contra el endpoint en vivo.
Vigila los logs en tiempo de ejecución para detectar trazas de excepción inusuales, entradas malformadas o intentos de bypass de autorización.
Revisión de código: marca cualquier código nuevo que maneje entrada desde esta superficie sin usar los helpers validados del framework.
Plexicus detecta automáticamente CWE-105 y abre un PR de corrección en menos de 60 segundos.
Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.
Preguntas frecuentes ¿Qué es CWE-105?
¿Qué gravedad tiene CWE-105?
¿Qué lenguajes o plataformas se ven afectados por CWE-105?
¿Cómo puedo prevenir CWE-105?
¿Cómo detecta y corrige Plexicus CWE-105?
¿Dónde puedo aprender más sobre CWE-105?
Frequently asked questions
¿Qué es CWE-105?
This vulnerability occurs when a Struts application form contains an input field that lacks a corresponding validator, leaving it open to unverified user input.
¿Qué gravedad tiene CWE-105?
MITRE no ha publicado una calificación de probabilidad de explotación para esta debilidad. Trátala como de impacto medio hasta que tu modelo de amenazas demuestre lo contrario.
¿Qué lenguajes o plataformas se ven afectados por CWE-105?
MITRE lists the following affected platforms: Java.
¿Cómo puedo prevenir CWE-105?
Validate all form fields. If a field is unused, it is still important to constrain it so that it is empty or undefined.
¿Cómo detecta y corrige Plexicus CWE-105?
El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-105 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.
¿Dónde puedo aprender más sobre CWE-105?
MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/105.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.
Debilidades relacionadas
Weaknesses related to CWE-105
CWE-1173 Padre
Improper Use of Validation Framework
This vulnerability occurs when a software application either fails to use or incorrectly implements a built-in or library-provided input…
CWE-102 Hermano
Struts: Duplicate Validation Forms
This vulnerability occurs when an application defines multiple Struts validation forms with identical names. The framework then…
CWE-106 Hermano
Struts: Plug-in Framework not in Use
This weakness occurs when a Java application, particularly one using the Struts framework, does not implement a structured input…
CWE-108 Hermano
Struts: Unvalidated Action Form
In Apache Struts, every Action Form that processes user input must have a corresponding validation form configured. Missing this…
CWE-109 Hermano
Struts: Validator Turned Off
This vulnerability occurs when an application built with Apache Struts intentionally disables its built-in validation framework. By…
CWE-1174 Hermano
ASP.NET Misconfiguration: Improper Model Validation
This vulnerability occurs when an ASP.NET application either completely bypasses the built-in model validation system or implements it…
CWE-554 Hermano
ASP.NET Misconfiguration: Not Using Input Validation Framework
This vulnerability occurs when an ASP.NET application fails to implement a structured input validation framework, relying instead on…
Recursos
Further reading
- MITRE — CWE-105 oficial https://cwe.mitre.org/data/definitions/105.html
- Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
Listo cuando tú lo estés
Deja de pagar por desarrollador.
Empieza a cerrar el bucle.
Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.