Ejecuta análisis estático (SAST) sobre el código buscando el patrón inseguro en el flujo de datos.
CWE-106 Variante Borrador
Struts: Plug-in Framework not in Use
This weakness occurs when a Java application, particularly one using the Struts framework, does not implement a structured input validation plugin like the Struts Validator. Skipping this framework…
Definición
What is CWE-106?
This weakness occurs when a Java application, particularly one using the Struts framework, does not implement a structured input validation plugin like the Struts Validator. Skipping this framework forces developers to write custom validation logic, which is often error-prone and increases the risk of security flaws from improperly handled user input.
Without a dedicated validation framework, your application becomes vulnerable to common web attacks. Unchecked user input is a primary entry point for cross-site scripting (XSS), SQL injection, and unauthorized command execution, as attackers can inject malicious code or manipulate application logic.
While Java environments typically avoid memory corruption issues, the risk extends to integrated native code. If your J2EE application passes unvalidated data to native libraries or components that lack proper bounds checking, a simple input validation oversight can escalate into a severe buffer overflow attack, compromising the entire system.
Impacto en el mundo real
Real-world CVEs caused by CWE-106
Todavía no hay CVEs públicos enlazados a esta CWE en el catálogo de MITRE.
Cómo lo explotan los atacantes
Ruta del atacante paso a paso
- 1
In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data.
- 2
However, the RegistrationForm class extends the Struts ActionForm class which does use the Struts validator plug-in to provide validator capabilities. In the following example, the RegistrationForm Java class extends the ValidatorForm and Struts configuration XML file, struts-config.xml, instructs the application to use the Struts validator plug-in.
- 3
The plug-in tag of the Struts configuration XML file includes the name of the validator plug-in to be used and includes a set-property tag to instruct the application to use the file, validator-rules.xml, for default validation rules and the file, validation.XML, for custom validation.
Ejemplo de código vulnerable
Vulnerable Java
In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data.
public class RegistrationForm extends org.apache.struts.action.ActionForm {
```
// private variables for registration form*
private String name;
private String email;
...
public RegistrationForm() {
```
super();
}
```
// getter and setter methods for private variables*
...
} Ejemplo de código seguro
Secure Java
However, the RegistrationForm class extends the Struts ActionForm class which does use the Struts validator plug-in to provide validator capabilities. In the following example, the RegistrationForm Java class extends the ValidatorForm and Struts configuration XML file, struts-config.xml, instructs the application to use the Struts validator plug-in.
public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {
```
// private variables for registration form*
private String name;
private String email;
...
public RegistrationForm() {
```
super();
}
public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {...}
```
// getter and setter methods for private variables*
...
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención
How to prevent CWE-106
- Architecture and Design Use an input validation framework such as Struts.
- Architecture and Design Use an input validation framework such as Struts.
- Implementation Use the Struts Validator to validate all program input before it is processed by the application. Ensure that there are no holes in the configuration of the Struts Validator. Example uses of the validator include checking to ensure that: - Phone number fields contain only valid characters in phone numbers - Boolean values are only "T" or "F" - Free-form strings are of a reasonable length and composition
- Implementation Use the Struts Validator to validate all program input before it is processed by the application. Ensure that there are no holes in the configuration of the Struts Validator. Example uses of the validator include checking to ensure that: - Phone number fields contain only valid characters in phone numbers - Boolean values are only "T" or "F" - Free-form strings are of a reasonable length and composition
Señales de detección
How to detect CWE-106
Ejecuta pruebas dinámicas de seguridad de aplicaciones (DAST) contra el endpoint en vivo.
Vigila los logs en tiempo de ejecución para detectar trazas de excepción inusuales, entradas malformadas o intentos de bypass de autorización.
Revisión de código: marca cualquier código nuevo que maneje entrada desde esta superficie sin usar los helpers validados del framework.
Plexicus detecta automáticamente CWE-106 y abre un PR de corrección en menos de 60 segundos.
Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.
Preguntas frecuentes ¿Qué es CWE-106?
¿Qué gravedad tiene CWE-106?
¿Qué lenguajes o plataformas se ven afectados por CWE-106?
¿Cómo puedo prevenir CWE-106?
¿Cómo detecta y corrige Plexicus CWE-106?
¿Dónde puedo aprender más sobre CWE-106?
Frequently asked questions
¿Qué es CWE-106?
This weakness occurs when a Java application, particularly one using the Struts framework, does not implement a structured input validation plugin like the Struts Validator. Skipping this framework forces developers to write custom validation logic, which is often error-prone and increases the risk of security flaws from improperly handled user input.
¿Qué gravedad tiene CWE-106?
MITRE no ha publicado una calificación de probabilidad de explotación para esta debilidad. Trátala como de impacto medio hasta que tu modelo de amenazas demuestre lo contrario.
¿Qué lenguajes o plataformas se ven afectados por CWE-106?
MITRE lists the following affected platforms: Java.
¿Cómo puedo prevenir CWE-106?
Use an input validation framework such as Struts. Use an input validation framework such as Struts.
¿Cómo detecta y corrige Plexicus CWE-106?
El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-106 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.
¿Dónde puedo aprender más sobre CWE-106?
MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/106.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.
Debilidades relacionadas
Weaknesses related to CWE-106
CWE-1173 Padre
Improper Use of Validation Framework
This vulnerability occurs when a software application either fails to use or incorrectly implements a built-in or library-provided input…
CWE-102 Hermano
Struts: Duplicate Validation Forms
This vulnerability occurs when an application defines multiple Struts validation forms with identical names. The framework then…
CWE-105 Hermano
Struts: Form Field Without Validator
This vulnerability occurs when a Struts application form contains an input field that lacks a corresponding validator, leaving it open to…
CWE-108 Hermano
Struts: Unvalidated Action Form
In Apache Struts, every Action Form that processes user input must have a corresponding validation form configured. Missing this…
CWE-109 Hermano
Struts: Validator Turned Off
This vulnerability occurs when an application built with Apache Struts intentionally disables its built-in validation framework. By…
CWE-1174 Hermano
ASP.NET Misconfiguration: Improper Model Validation
This vulnerability occurs when an ASP.NET application either completely bypasses the built-in model validation system or implements it…
CWE-554 Hermano
ASP.NET Misconfiguration: Not Using Input Validation Framework
This vulnerability occurs when an ASP.NET application fails to implement a structured input validation framework, relying instead on…
Recursos
Further reading
- MITRE — CWE-106 oficial https://cwe.mitre.org/data/definitions/106.html
- Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
Listo cuando tú lo estés
Deja de pagar por desarrollador.
Empieza a cerrar el bucle.
Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.