CWE-108 Structs:未经验证的动作表单

admin
admin
admin
139897
文章
114
评论
2021年12月28日19:22:10评论62 views字数 1672阅读5分34秒阅读模式

CWE-108 Structs:未经验证的动作表单

Struts: Unvalidated Action Form

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: unkown

基本描述

Every Action Form must have a corresponding validation form.

扩展描述

If a Struts Action Form Mapping specifies a form, it must have a validation form defined under the Struts Validator.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 1173 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 1173 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 20 cwe_View_ID: 700 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Other Other If an action form mapping does not have a validation form defined, it may be vulnerable to a number of attacks that rely on unchecked input. Unchecked input is the root cause of some of today's worst and most common software security problems. Cross-site scripting, SQL injection, and process control vulnerabilities all stem from incomplete or absent input validation.
['Confidentiality', 'Integrity', 'Availability', 'Other'] Other Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.

可能的缓解方案

Implementation

策略: Input Validation

Map every Action Form to a corresponding validation form.
An action or a form may perform validation in other ways, but the Struts Validator provides an excellent way to verify that all input receives at least a basic level of validation. Without this approach, it is difficult, and often impossible, to establish with a high level of confidence that all input is validated.

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
7 Pernicious Kingdoms Struts: Unvalidated Action Form
Software Fault Patterns SFP24 Tainted input to command

文章来源于互联网:scap中文网

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年12月28日19:22:10
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CWE-108 Structs:未经验证的动作表单https://cn-sec.com/archives/612949.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息