CWE-608: Struts: Non-private Field in ActionForm Class

Description

An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.

Potential Impact

Integrity, Confidentiality

Modify Application Data, Read Application Data

Demonstrative Examples

In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for a online business site. The user will enter registration data and through the Struts framework the RegistrationForm bean will maintain the user data.

Bad

public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {
                     
                        // variables for registration formpublic String name;public String email;...
                           public RegistrationForm() {super();}public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {...}...
                     }

However, within the RegistrationForm the member variables for the registration form input data are declared public not private. All member variables within a Struts framework ActionForm class must be declared private to prevent the member variables from being modified without using the getter and setter methods. The following example shows the member variables being declared private and getter and setter methods declared for accessing the member variables.

Good

public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {
                     
                        // private variables for registration formprivate String name;private String email;...
                           public RegistrationForm() {super();}
                           public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {...}
                     
                     
                     
                     // getter and setter methods for private variables...}

Mitigations & Prevention

Implementation

Make all fields private. Use getter to get the value of the field. Setter should be used only by the framework; setting an action form field from other actions is bad practice and should be avoided.

Detection Methods

Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Taxonomy Mappings

Software Fault Patterns: SFP28 — Unexpected access points

Frequently Asked Questions

What is CWE-608?

CWE-608 (Struts: Non-private Field in ActionForm Class) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.

How can CWE-608 be exploited?

Attackers can exploit CWE-608 (Struts: Non-private Field in ActionForm Class) to modify application data, read application data. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-608?

Key mitigations include: Make all fields private. Use getter to get the value of the field. Setter should be used only by the framework; setting an action form field from other actions is bad practice and should be avoided.

What is the severity of CWE-608?

CWE-608 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.