Description
Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.
Potential Impact
Access Control
Bypass Protection Mechanism
Demonstrative Examples
<action path="/download"type="com.website.d2.action.DownloadAction"name="downloadForm"scope="request"input=".download"validate="false"></action>Mitigations & Prevention
Ensure that an action form mapping enables validation. Set the validate field to true.
Related Weaknesses
Taxonomy Mappings
- 7 Pernicious Kingdoms: — Struts: Validator Turned Off
- Software Fault Patterns: SFP24 — Tainted input to command
Frequently Asked Questions
What is CWE-109?
CWE-109 (Struts: Validator Turned Off) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient inp...
How can CWE-109 be exploited?
Attackers can exploit CWE-109 (Struts: Validator Turned Off) to bypass protection mechanism. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-109?
Key mitigations include: Ensure that an action form mapping enables validation. Set the validate field to true.
What is the severity of CWE-109?
CWE-109 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.