CWE-105 Structs:缺少验证的表单域

admin 2022年1月7日02:24:49评论72 views字数 2772阅读9分14秒阅读模式

CWE-105 Structs:缺少验证的表单域

Struts: Form Field Without Validator

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: unkown

基本描述

The application has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.

扩展描述

Omitting validation for even a single input field may give attackers the leeway they need to compromise the application. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 1173 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 1173 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 20 cwe_View_ID: 700 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Integrity Unexpected State
Integrity Bypass Protection Mechanism If unused fields are not validated, shared business logic in an action may allow attackers to bypass the validation checks that are performed for other uses of the form.

可能的缓解方案

Implementation

策略:

Ensure that you validate all form fields. If a field is unused, it is still important to constrain it so that it is empty or undefined.

示例代码

In the following example the Java class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml.

result

public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {


// private variables for registration form

private String name;
private String address;
private String city;
private String state;
private String zipcode;
private String phone;
private String email;

public RegistrationForm() {

super();

}

// getter and setter methods for private variables

...

}

The validator XML file, validator.xml, provides the validation for the form fields of the RegistrationForm.

bad XML





mask
[a-zA-Z]{2}



mask
d{5}

However, in the previous example the validator XML file, validator.xml, does not provide validators for all of the form fields in the RegistrationForm. Validator forms are only provided for the first five of the seven form fields. The validator XML file should contain validator forms for all of the form fields for a Struts ActionForm bean. The following validator.xml file for the RegistrationForm class contains validator forms for all of the form fields.

good XML





mask
[a-zA-Z]{2}



mask
d{5}



mask
^([0-9]{3})(-)([0-9]{4}|[0-9]{4})$


分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
7 Pernicious Kingdoms Struts: Form Field Without Validator
Software Fault Patterns SFP24 Tainted input to command

文章来源于互联网:scap中文网

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月7日02:24:49
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CWE-105 Structs:缺少验证的表单域http://cn-sec.com/archives/612729.html

发表评论

匿名网友 填写信息