logo

Struts: Incomplete validate() Method Definition

Draft Variant
Structure: Simple
Description

This vulnerability occurs in a Struts application when a validator form either completely omits a validate() method or includes one but fails to call super.validate() within it.

Extended Description

In the Struts validation framework, the super.validate() call is essential because it triggers the framework's built-in validation logic. Without this call, the framework cannot process the validation rules defined for the form, effectively leaving the form's input unchecked and allowing potentially malicious or malformed data to proceed. As a result, the entire validation layer for that specific form is disabled, creating a security gap where attackers can bypass intended data checks. Developers must ensure every custom validate() method explicitly invokes super.validate() to maintain the security chain and enforce all configured validation constraints.
Common Consequences 2
Scope: Other

Impact: Other

Disabling the validation framework for a form exposes the product to numerous types of attacks. Unchecked input is the root cause of vulnerabilities like cross-site scripting, process control, and SQL injection.

Scope: ConfidentialityIntegrityAvailabilityOther

Impact: Other

Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 1
Phase: Implementation
Implement the validate() method and call super.validate() within that method.
Demonstrative Examples 1
In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and the RegistrationForm bean in the Struts framework will maintain the user data. Tthe RegistrationForm class implements the validate method to validate the user input entered into the form.

Code Example:

Bad
Java
java
Although the validate method is implemented in this example the method does not call the validate method of the ValidatorForm parent class with a call super.validate(). Without the call to the parent validator class only the custom validation will be performed and the default validation will not be performed. The following example shows that the validate method of the ValidatorForm class is called within the implementation of the validate method.

Code Example:

Good
Java
java
References 1
Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
Katrina Tsipenyuk, Brian Chess, and Gary McGraw
NIST Workshop on Software Security Assurance Tools Techniques and MetricsNIST
07-11-2005
https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
ID: REF-6
Applicable Platforms
Languages:
Java : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Improper Following of Specification by Caller (CWE-573)
ChildOf: Improper Input Validation (CWE-20)
Taxonomy Mapping
  • 7 Pernicious Kingdoms
  • Software Fault Patterns
Notes
RelationshipThis could introduce other weaknesses related to missing input validation.
MaintenanceThe current description implies a loose composite of two separate weaknesses, so this node might need to be split or converted into a low-level category.