Corgea LogoCorgea Security Hub

CWE-108: Struts: Unvalidated Action Form

Learn about CWE-108 (Struts: Unvalidated Action Form), its security impact, exploitation methods, and prevention guidelines.

What is Struts: Unvalidated Action Form?

• Overview: This vulnerability occurs when a Struts Action Form does not have a corresponding validation form, allowing unvalidated input to be processed by the application. This can lead to security risks if input is not properly sanitized.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by injecting malicious input into forms that are not validated.
  • Common attack patterns include SQL injection, cross-site scripting (XSS), and remote code execution through unvalidated input.

• Security Impact:

  • Direct consequences of successful exploitation include unauthorized access to sensitive data and potential system compromise.
  • Potential cascading effects include data breaches, loss of customer trust, and compliance violations.
  • Business impact can be significant, including financial loss, reputational damage, and legal liabilities.

• Prevention Guidelines:

  • Specific code-level fixes include ensuring every Action Form has a corresponding validation form defined in the Struts Validator.
  • Security best practices involve regular code reviews, input validation, and sanitization.
  • Recommended tools and frameworks include using the Struts Validator framework for input validation and employing static analysis tools to detect missing validations.

Corgea can automatically detect and fix Struts: Unvalidated Action Form in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Java

Affected Technologies: Not specified

Vulnerable Code Example

Java Example

// Vulnerable code: This Struts Action Form does not validate user input, allowing for potential security vulnerabilities.
public class LoginForm extends ActionForm {
    private String username;
    private String password;

    // Getter and Setter methods for username
    public String getUsername() {
        return username;
    }

    public void setUsername(String username) {
        this.username = username; // No validation is performed on the input
    }

    // Getter and Setter methods for password
    public String getPassword() {
        return password;
    }

    public void setPassword(String password) {
        this.password = password; // No validation is performed on the input
    }
}

Explanation: In this vulnerable example, the LoginForm class does not validate user inputs for username and password. This lack of validation can lead to security issues such as injection attacks, where malicious input could be executed or stored without checks.

How to fix Struts: Unvalidated Action Form?

To fix the vulnerability, every Action Form in a Struts application should have a corresponding validation method to ensure that any input received from users is properly validated. This helps prevent common vulnerabilities such as injection attacks, data tampering, or logic manipulation. Struts provides a built-in mechanism for input validation that can be used to enforce constraints on user input.

Here are the steps to implement proper input validation in a Struts Action Form:

  1. Implement a validate method: Override the validate method in your Action Form class. This method should contain the logic to check the validity of the input data.
  2. Use ActionErrors: Add any validation errors to an ActionErrors object and return it. If the object contains errors, Struts redirects the user back to the input form and displays the errors.
  3. Leverage Struts Configuration: Define validation rules in the struts-config.xml file or use an external validation framework like Apache Commons Validator for more complex validation.

Fixed Code Example

// Fixed code: This Struts Action Form includes input validation to ensure user data is safe.
public class LoginForm extends ActionForm {
    private String username;
    private String password;

    // Getter and Setter methods for username
    public String getUsername() {
        return username;
    }

    public void setUsername(String username) {
        this.username = username;
    }

    // Getter and Setter methods for password
    public String getPassword() {
        return password;
    }

    public void setPassword(String password) {
        this.password = password;
    }

    // Implementing input validation to prevent unvalidated form issues
    @Override
    public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {
        ActionErrors errors = new ActionErrors();
        
        if (username == null || username.trim().isEmpty()) {
            errors.add("username", new ActionMessage("error.username.required"));
        }
        
        if (password == null || password.trim().isEmpty()) {
            errors.add("password", new ActionMessage("error.password.required"));
        }
        
        // Additional validation logic can be added here
        
        return errors;
    }
}

Explanation: In the fixed example, the validate method is overridden to include checks for both username and password fields. If either field is null or empty, an error message is added to the ActionErrors object. This ensures that the form cannot be submitted with invalid data, mitigating the risk of security vulnerabilities associated with unvalidated user input.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-108: Struts: Unvalidated Action Form and get remediation guidance

Start for free and no credit card needed.