The software has multiple functions, methods, procedures, macros, etc. that
contain the same code.
Modes of Introduction:
Other: Reduce Maintainability
If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.
In order to use the Struts Validator, a form must extend one of the following: ValidatorForm, ValidatorActionForm, DynaValidatorActionForm, and DynaValidatorForm. One of these classes must be extended because the Struts Validator ties in to the application by implementing the validate() method in these classes. Forms derived from the ActionForm and DynaActionForm classes cannot use the Struts Validator.
Modes of Introduction:
– Implementation
Other: Other
Bypassing the validation framework for a form exposes the application to numerous types of attacks. Unchecked input is an important component of vulnerabilities like cross-site scripting, process control, and SQL injection.
Confidentiality, Integrity, Availability, Other: Other
Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.
Phase: Implementation
Description:
Ensure that all forms extend one of the Validation Classes.
The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept.
Modes of Introduction:
– Architecture and Design
Integrity: Bypass Protection Mechanism
When the automated recognition is used in a protection mechanism, an attacker may be able to craft inputs that are misinterpreted in a way that grants excess privileges.
The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption.
Modes of Introduction:
– Architecture and Design
Likelihood of Exploit: Low
Integrity: Alter Execution Logic
The optimizations alter the order of execution resulting in side effects that were not intended by the original developer.
The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified.
Modes of Introduction:
– Architecture and Design
Likelihood of Exploit: Low
Integrity: Bypass Protection Mechanism
A successful exploitation of this weakness will change the order of an application’s execution and will likely be used to bypass specific protection mechanisms. This bypass can be exploited further to potentially read data that should otherwise be unaccessible.
The application has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().
If the code does not call super.validate(), the Validation Framework cannot check the contents of the form against a validation form. In other words, the validation framework will be disabled for the given form.
The Struts Validator uses a form’s validate() method to check the contents of the form properties against the constraints specified in the associated validation form. That means the following classes have a validate() method that is part of the validation framework: ValidatorForm, ValidatorActionForm, DynaValidatorForm, and DynaValidatorActionForm. If the code creates a class that extends one of these classes, and if that class implements custom validation logic by overriding the validate() method, the code must call super.validate() in the validate() implementation.
Modes of Introduction:
– Implementation
Other: Other
Disabling the validation framework for a form exposes the application to numerous types of attacks. Unchecked input is the root cause of vulnerabilities like cross-site scripting, process control, and SQL injection.
Confidentiality, Integrity, Availability, Other: Other
Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.
Phase: Implementation
Description:
Implement the validate() method and call super.validate() within that method.
The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.
This can lead to incorrect results and resultant weaknesses. For example, the code might inadvertently compare references to objects, instead of the relevant contents of those objects, causing two “equal” objects to be considered unequal.
Modes of Introduction:
– Implementation
Other: Varies by Context
Phase: Testing
Description:
Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.
The software performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results when they are directly compared.
In languages that are strictly typed but support casting/conversion, such as C or C++, the programmer might assume that casting one entity to the same type as another entity will ensure that the comparison will be performed correctly, but this cannot be guaranteed. In languages that are not strictly typed, such as PHP or JavaScript, there may be implicit casting/conversion to a type that the programmer is unaware of, causing unexpected results; for example, the string “123” might be converted to a number type. See examples.
Modes of Introduction:
– Implementation
Other: Varies by Context
Phase: Testing
Description:
Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.
The software performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.
An incomplete comparison can lead to resultant weaknesses, e.g., by operating on the wrong object or making a security decision without considering a required factor.
Modes of Introduction:
– Implementation
Integrity, Access Control: Alter Execution Logic, Bypass Protection Mechanism
Phase: Testing
Description:
Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.
The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.
When a user clicks a link to an external site (“target”), the target=”_blank” attribute causes the target site’s contents to be opened in a new window or tab, which runs in the same process as the original page. The window.opener object records information about the original page that offered the link. If an attacker can run script on the target page, then they could read or modify certain properties of the window.opener object, including the location property – even if the original and target site are not the same origin. An attacker can modify the location property to automatically redirect the user to a malicious site, e.g. as part of a phishing attack. Since this redirect happens in the original window/tab – which is not necessarily visible, since the browser is focusing the display on the new target page – the user might not notice any suspicious redirection.
Modes of Introduction:
– Architecture and Design
Likelihood of Exploit: Medium
Confidentiality: Alter Execution Logic
The user may be redirected to an untrusted page that contains undesired content or malicious script code.
Phase: Architecture and Design
Description:
Specify in the design that any linked external document must not be granted access to the location object of the calling page.
Phase: Implementation
Description:
Phase: Implementation
Description: