The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.
Omitting validation for even a single input field may give attackers the leeway they need to compromise the product. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.
Threat Mapped score: 1.5
Industry: Finiancial
Threat priority: P4 - Informational (Low)
N/A
N/A
| Phase | Note |
|---|---|
| Implementation | Some products use the same ActionForm for more than one purpose. In situations like this, some fields may go unused under some action mappings. |
Intro: In the following example the Java class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml.
Body: The validator XML file, validator.xml, provides the validation for the form fields of the RegistrationForm.
public class RegistrationForm extends org.apache.struts.validator.ValidatorForm { // private variables for registration form private String name; private String address; private String city; private String state; private String zipcode; private String phone; private String email; public RegistrationForm() { super(); } // getter and setter methods for private variables ... }