CWE-109 Structs:验证器关闭
Struts: Validator Turned Off
结构: Simple
Abstraction: Variant
状态: Draft
被利用可能性: unkown
基本描述
Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 1173 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 1173 cwe_View_ID: 699 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 20 cwe_View_ID: 700 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Access Control | Bypass Protection Mechanism |
可能的缓解方案
Implementation
策略:
Ensure that an action form mapping enables validation. Set the validate field to true.
示例代码
例
This mapping defines an action for a download form:
bad XML
type="com.website.d2.action.DownloadAction"
name="downloadForm"
scope="request"
input=".download"
validate="false">
</action>
This mapping has disabled validation. Disabling validation exposes this action to numerous types of attacks.
Notes
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| 7 Pernicious Kingdoms | Struts: Validator Turned Off | ||
| Software Fault Patterns | SFP24 | Tainted input to command |