Corgea LogoCorgea Security Hub

CWE-109: Struts: Validator Turned Off

Learn about CWE-109 (Struts: Validator Turned Off), its security impact, exploitation methods, and prevention guidelines.

What is Struts: Validator Turned Off?

• Overview: Automatic filtering via a Struts bean is turned off, disabling the Struts Validator and custom validation logic, leading to insufficient input validation vulnerabilities.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by injecting malicious data into input fields that are not properly validated.
  • Common attack patterns include SQL injection, cross-site scripting (XSS), and command injection.

• Security Impact:

  • Direct consequences of successful exploitation include unauthorized data access, data corruption, and system compromise.
  • Potential cascading effects include lateral movement within the network and further exploitation of interconnected systems.
  • Business impact can involve data breaches, loss of customer trust, legal liabilities, and financial losses.

• Prevention Guidelines:

  • Specific code-level fixes include ensuring that the Struts Validator is enabled and properly configured for all inputs.
  • Security best practices involve consistently validating and sanitizing all input data, using positive (whitelist) validation.
  • Recommended tools and frameworks include using security libraries like OWASP ESAPI and leveraging built-in Struts validation features to enforce strong input validation policies.
Corgea can automatically detect and fix Struts: Validator Turned Off in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Java

Affected Technologies: Not specified

Vulnerable Code Example

// Java Example: CWE-109 (Struts: Validator Turned Off)

import org.apache.struts.action.Action;
import org.apache.struts.action.ActionForm;
import org.apache.struts.action.ActionForward;
import org.apache.struts.action.ActionMapping;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

// This example demonstrates a vulnerability where Struts validation is turned off
public class LoginAction extends Action {
    public ActionForward execute(ActionMapping mapping, ActionForm form,
                                 HttpServletRequest request, HttpServletResponse response) throws Exception {
        // Struts validation is disabled by setting validate to false
        if (!mapping.getValidate()) {
            // Directly processing user input without validation
            String username = request.getParameter("username");
            String password = request.getParameter("password");
            // Logic to authenticate user
            // This is insecure as it processes unvalidated input
        }
        return mapping.findForward("success");
    }
}

How to fix Struts: Validator Turned Off?

To fix this vulnerability, we need to ensure that automatic validation is enabled in the Struts configuration. Struts provides a declarative way to enforce validation logic via XML configuration or annotations, reducing the risk of human error when manually handling user inputs.

Steps to Fix:

  1. Enable Validation in Struts Configuration: Ensure the validate property is set to true in the Struts configuration file, which allows the framework's validation logic to run.

  2. Define Validation Rules: Use the Struts validation framework to define validation rules either in validation.xml or using annotations in the ActionForm class. This ensures that all inputs are validated consistently and automatically.

  3. Handle Validation Errors: Redirect users to an appropriate error page or display error messages if validation fails, enhancing user experience and security.

Fixed Code Example

<!-- struts-config.xml {5-7} -->
<!-- Struts configuration with validation enabled -->
<action-mappings>
    <!-- Enabled validation for the login action -->
    <action path="/login" type="com.example.LoginAction" name="loginForm" scope="request" validate="true">
        <forward name="success" path="/home.jsp"/>
        <forward name="failure" path="/login.jsp"/>
    </action>
</action-mappings>

// LoginForm.java {2-9}
import org.apache.struts.validator.ValidatorForm;

// ActionForm with validation rules defined
public class LoginForm extends ValidatorForm {
    private String username;
    private String password;
    
    // Getters and setters for username and password

    // Validation rules can be specified in validation.xml or using annotations
}

<!-- validation.xml {5-9} -->
<!-- Validation rules defined in validation.xml -->
<!DOCTYPE form-validation PUBLIC "-//Apache Software Foundation//DTD Commons Validator Rules Configuration 1.0//EN"
        "http://jakarta.apache.org/commons/dtds/validator_1_0.dtd">

<form-validation>
    <formset>
        <form name="loginForm">
            <field property="username" depends="required">
                <arg key="loginForm.username"/>
            </field>
            <field property="password" depends="required">
                <arg key="loginForm.password"/>
            </field>
        </form>
    </formset>
</form-validation>

Explanation:

  • Validate Attribute: The validate="true" attribute in the struts-config.xml ensures that validation is performed before the action is executed.
  • ValidatorForm: Extending ValidatorForm allows us to leverage the Struts validation framework.
  • Validation Rules: Defined in validation.xml, ensuring that both username and password fields are required before proceeding with the action.

By following these steps, we eliminate manual input validation and rely on a robust framework for consistent and secure input handling.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-109: Struts: Validator Turned Off and get remediation guidance

Start for free and no credit card needed.