Kingdom: Environment
This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.
Struts Misconfiguration: Missing Form Bean Name
Abstract
A
form-bean without a name attribute will not be used.Explanation
Struts uses the
Here is a proper form-bean example:
Example 1: The following
form-bean name to map HTML forms to actions. If a form-bean does not have a name, it cannot be mapped to an action and indicates either a superfluous definition or an accidentally omitted bean.Here is a proper form-bean example:
Example 1: The following
form-bean has an empty name attribute.
<form-beans>
<form-bean name="" type="org.apache.struts.validator.DynaValidatorForm">
<form-property name="name" type="java.lang.String" />
<form-property name="password" type="java.lang.String" />
</form-bean>
</form-beans>
References
[1] Apache Struts 1.3 Specification
[2] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[3] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[4] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[5] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
desc.config.java.struts_misconfiguration_missing_form_bean_name