Ejecuta análisis estático (SAST) sobre el código buscando el patrón inseguro en el flujo de datos.
CWE-107 Variante Borrador
Struts: Unused Validation Form
This vulnerability occurs when a Struts application contains validation form definitions that are no longer linked to any active form or action, leaving outdated security rules in the codebase.
Definición
What is CWE-107?
This vulnerability occurs when a Struts application contains validation form definitions that are no longer linked to any active form or action, leaving outdated security rules in the codebase.
In Struts frameworks, validation logic is often tied to specific form or action mappings. When developers rename or remove these mappings during refactoring, they can easily overlook the corresponding validation forms. These orphaned validation rules remain in the configuration files, creating a false sense of security and cluttering the code with dead logic.
This situation is problematic because it indicates that the application's validation layer is not being properly maintained. Attackers may exploit the gap between the actual form processing and the intended validation rules, potentially bypassing client-side or server-side checks. Regularly auditing and removing unused validation forms is essential to keep security configurations accurate and effective.
Impacto en el mundo real
Real-world CVEs caused by CWE-107
Todavía no hay CVEs públicos enlazados a esta CWE en el catálogo de MITRE.
Cómo lo explotan los atacantes
Ruta del atacante paso a paso
- 1
In the following example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml.
- 2
However, the validator XML file, validator.xml, for the RegistrationForm class includes the validation form for the user input form field "phone" that is no longer used by the input form and the RegistrationForm class. Any validation forms that are no longer required should be removed from the validator XML file, validator.xml.
- 3
The existence of unused forms may be an indication to attackers that this code is out of date or poorly maintained.
Ejemplo de código vulnerable
Vulnerable Java
In the following example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml.
public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {
```
// private variables for registration form*
private String name;
private String address;
private String city;
private String state;
private String zipcode;
*// no longer using the phone form field*
*// private String phone;*
private String email;
public RegistrationForm() {
```
super();
}
```
// getter and setter methods for private variables*
...} Ejemplo de código seguro
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención
How to prevent CWE-107
- Implementation Remove the unused Validation Form from the validation.xml file.
Señales de detección
How to detect CWE-107
Ejecuta pruebas dinámicas de seguridad de aplicaciones (DAST) contra el endpoint en vivo.
Vigila los logs en tiempo de ejecución para detectar trazas de excepción inusuales, entradas malformadas o intentos de bypass de autorización.
Revisión de código: marca cualquier código nuevo que maneje entrada desde esta superficie sin usar los helpers validados del framework.
Plexicus detecta automáticamente CWE-107 y abre un PR de corrección en menos de 60 segundos.
Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.
Preguntas frecuentes ¿Qué es CWE-107?
¿Qué gravedad tiene CWE-107?
¿Qué lenguajes o plataformas se ven afectados por CWE-107?
¿Cómo puedo prevenir CWE-107?
¿Cómo detecta y corrige Plexicus CWE-107?
¿Dónde puedo aprender más sobre CWE-107?
Frequently asked questions
¿Qué es CWE-107?
This vulnerability occurs when a Struts application contains validation form definitions that are no longer linked to any active form or action, leaving outdated security rules in the codebase.
¿Qué gravedad tiene CWE-107?
MITRE no ha publicado una calificación de probabilidad de explotación para esta debilidad. Trátala como de impacto medio hasta que tu modelo de amenazas demuestre lo contrario.
¿Qué lenguajes o plataformas se ven afectados por CWE-107?
MITRE lists the following affected platforms: Java.
¿Cómo puedo prevenir CWE-107?
Remove the unused Validation Form from the validation.xml file.
¿Cómo detecta y corrige Plexicus CWE-107?
El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-107 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.
¿Dónde puedo aprender más sobre CWE-107?
MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/107.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.
Debilidades relacionadas
Weaknesses related to CWE-107
CWE-1164 Padre
Irrelevant Code
Irrelevant code refers to sections of a program that have no impact on its execution, data, or logic. Removing this code would not change…
CWE-1071 Hermano
Empty Code Block
An empty code block occurs when a section of source code, such as a conditional statement or function body, contains no executable…
CWE-110 Hermano
Struts: Validator Without Form Field
This vulnerability occurs when a Struts application's validation configuration file references form fields that no longer exist in the…
CWE-561 Hermano
Dead Code
Dead code refers to sections of a program that can never run during normal execution, effectively making them inactive and unreachable.
CWE-563 Hermano
Assignment to Variable without Use
This vulnerability occurs when a value is stored in a variable, but that variable is never read or used in subsequent code, creating a…
Recursos
Further reading
- MITRE — CWE-107 oficial https://cwe.mitre.org/data/definitions/107.html
- Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
Listo cuando tú lo estés
Deja de pagar por desarrollador.
Empieza a cerrar el bucle.
Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.