CWE-105 Structs:缺少验证的表单域
Struts: Form Field Without Validator
结构: Simple
Abstraction: Variant
状态: Draft
被利用可能性: unkown
基本描述
The application has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.
扩展描述
Omitting validation for even a single input field may give attackers the leeway they need to compromise the application. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 1173 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 1173 cwe_View_ID: 699 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 20 cwe_View_ID: 700 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Integrity | Unexpected State | |
| Integrity | Bypass Protection Mechanism | If unused fields are not validated, shared business logic in an action may allow attackers to bypass the validation checks that are performed for other uses of the form. |
可能的缓解方案
Implementation
策略:
Ensure that you validate all form fields. If a field is unused, it is still important to constrain it so that it is empty or undefined.
示例代码
例
In the following example the Java class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml.
result
// private variables for registration form
private String name;
private String address;
private String city;
private String state;
private String zipcode;
private String phone;
private String email;
public RegistrationForm() {
// getter and setter methods for private variables
...
The validator XML file, validator.xml, provides the validation for the form fields of the RegistrationForm.
bad XML
<field property="address" depends="required">
<field property="city" depends="required">
<field property="state" depends="required,mask">
<var>
<var-value>[a-zA-Z]{2}</var-value>
<field property="zipcode" depends="required,mask">
<var>
<var-value>\d{5}</var-value>
However, in the previous example the validator XML file, validator.xml, does not provide validators for all of the form fields in the RegistrationForm. Validator forms are only provided for the first five of the seven form fields. The validator XML file should contain validator forms for all of the form fields for a Struts ActionForm bean. The following validator.xml file for the RegistrationForm class contains validator forms for all of the form fields.
good XML
<field property="address" depends="required">
<field property="city" depends="required">
<field property="state" depends="required,mask">
<var>
<var-value>[a-zA-Z]{2}</var-value>
<field property="zipcode" depends="required,mask">
<var>
<var-value>\d{5}</var-value>
<field property="phone" depends="required,mask">
<var>
<var-value>^([0-9]{3})(-)([0-9]{4}|[0-9]{4})$</var-value>
<field property="email" depends="required,email">
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| 7 Pernicious Kingdoms | Struts: Form Field Without Validator | ||
| Software Fault Patterns | SFP24 | Tainted input to command |