541 找到的項目
弱點

Struts 2: Action Field Without Validator

Abstract
已找到不含對應驗證定義的 Action Field
Explanation
一個或多個 Action Field 沒有對應的驗證定義項目。每個欄位應有參照 ActionClass-validation.xml 的明確驗證程序。

當開發人員移除或重新命名操作表單對應後,很容易忘記去更新驗證邏輯。缺少驗證器定義項目是驗證邏輯未受到適當維護的其中一種跡象。

維護驗證邏輯,並與應用程式的其他部分保持同步化是非常重要的。未經檢查的輸入是導致目前最糟糕、最常見的軟體安全問題的根源。Cross-site scripting、SQL injection 和 process control 的弱點是由於缺少輸入驗證或輸入驗證不完整而造成的。雖然 J2EE 應用程式在通常情況下不容易因損壞記憶體而受到影響,但是如果 J2EE 應用程式連接到未執行陣列界線檢查的本地程式碼,攻擊者就能夠在 J2EE 應用程式中利用輸入驗證錯誤發起 Buffer overflow 攻擊。
References
[1] T. Husted et al. Struts in Action: Building Web Applications with the Leading Java Framework Manning Publications
[2] The Struts2 Validation Framework The Apache Foundation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 108
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.java.struts2_action_field_without_validator

Struts 2: Duplicate Action Field Validators

Abstract
多個 Struts2 欄位驗證器參照使用相同名稱。若有重複的驗證器參照,表示驗證方式不是最新的。
Explanation
ActionClass-validation.xml 中有多個欄位驗證器定義使用相同名稱。相同名稱的重複驗證定義,會導致運作方式不正常。

範例 1:以下項目顯示兩個重複的欄位驗證器定義。


   <field name="emailField">
      <field-validator type="email" short-circuit="true">
          <message>You must enter a value for email.</message>
      </field-validator>
      <field-validator type="email" short-circuit="true">
          <message>Not a valid email.</message>
      </field-validator>
  </field>


維護驗證邏輯,並與應用程式的其他部分保持同步化是非常重要的。未經檢查的輸入是導致目前最糟糕、最常見的軟體安全問題的根源。Cross-site scripting、SQL injection 和 process control 的弱點是由於缺少輸入驗證或輸入驗證不完整而造成的。雖然 J2EE 應用程式在通常情況下不容易因記憶體損壞攻擊而受到影響,但是如果 J2EE 應用程式連接到未執行陣列界限檢查的本地程式碼,攻擊者就能夠在 J2EE 應用程式中利用輸入驗證錯誤發起 Buffer overflow 攻擊。
References
[1] T. Husted et al. Struts in Action: Building Web Applications with the Leading Java Framework Manning Publications
[2] The Struts2 Validation Framework The Apache Foundation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 102
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 CM
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.struts2_duplicate_action_field_validators

Struts 2: Duplicate Validation Files

Abstract
此 Action 存在有多個 Struts2 Validation 檔案。若有多個驗證表單表示驗證方式不是最新的。
Explanation
在這個 Struts2 Action 定義中發現一個以上的 ActionClass-validation.xml 檔案。對每個在 ActionClass 表單中定義的 Struts2 Action 而言,Struts2 會就必要的驗證限制,搜尋相對應的 ActionClass-validation.xml。單一 Action 包含部署在內若給定多個驗證定義,可能會導致非預期的結果。

如果兩個驗證表單具有相同的名稱,Struts Validator 會任意選擇一個表單來進行輸入驗證,而放棄另外一個。這可能不是程式設計師所期望的。而且,這表示沒有維護驗證邏輯,並表示可能存在其他未察覺的驗證錯誤。

維護驗證邏輯,並與應用程式的其他部分保持同步化是非常重要的。未經檢查的輸入是導致目前最糟糕、最常見的軟體安全問題的根源。Cross-site scripting、SQL injection 和 process control 的弱點是由於缺少輸入驗證或輸入驗證不完整而造成的。雖然 J2EE 應用程式在通常情況下不容易因損壞記憶體而受到影響,但是如果 J2EE 應用程式連接到未執行陣列界線檢查的本地程式碼,攻擊者就能夠在 J2EE 應用程式中利用輸入驗證錯誤發起 Buffer overflow 攻擊。
References
[1] T. Husted et al. Struts in Action: Building Web Applications with the Leading Java Framework Manning Publications
[2] The Struts2 Validation Framework The Apache Foundation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 102
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 CM
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.java.struts2_duplicate_validation_files

Struts 2: Duplicate Validators

Abstract
多個 Struts2 Validator 參照使用相同名稱。若有重複的驗證器參照,表示驗證方式不是最新的。
Explanation
validators.xml 發現超過一個驗證器參照。多個相同名稱的驗證定義,會導致運作方式不正常。

如果兩個類別定義為相同的名稱,Struts Validator 會任意選擇一個表單來進行輸入驗證,而放棄另外一個。這可能不是程式設計師所期望的。而且,這表示沒有維護驗證邏輯,並表示可能存在其他未察覺的驗證錯誤。

維護驗證邏輯,並與應用程式的其他部分保持同步化是非常重要的。未經檢查的輸入是導致目前最糟糕、最常見的軟體安全問題的根源。Cross-site scripting、SQL injection 和 process control 的弱點是由於缺少輸入驗證或輸入驗證不完整而造成的。雖然 J2EE 應用程式在通常情況下不容易因記憶體損壞攻擊而受到影響,但是如果 J2EE 應用程式連接到未執行陣列界限檢查的本地程式碼,攻擊者就能夠在 J2EE 應用程式中利用輸入驗證錯誤發起 Buffer overflow 攻擊。
References
[1] T. Husted et al. Struts in Action: Building Web Applications with the Leading Java Framework Manning Publications
[2] The Struts2 Validation Framework The Apache Foundation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 102
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 CM
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.struts2_duplicate_validators

Struts 2: Undeclared Validator

Abstract
沒有在 validators.xml 中宣告 ActionClass-validation.xml 中參照的驗證器
Explanation
Struts2 的自訂驗證器都必須先定義於 validators.xml 中,才能用於動作驗證器定義。若有驗證器定義遺失,表示驗證方式不是最新的。

範例 1:validators.xml 中找不到下列動作驗證器。

<validators>
    <validator name="required" class="com.opensymphony.xwork2.validator.validators.RequiredFieldValidator"/>
</validators>


維護驗證邏輯,並與應用程式的其他部分保持同步化是非常重要的。未經檢查的輸入是導致目前最糟糕、最常見的軟體安全問題的根源。Cross-site scripting、SQL injection 和 process control 的弱點是由於缺少輸入驗證或輸入驗證不完整而造成的。雖然 J2EE 應用程式在通常情況下不容易因記憶體損壞攻擊而受到影響,但是如果 J2EE 應用程式連接到未執行陣列界限檢查的本地程式碼,攻擊者就能夠在 J2EE 應用程式中利用輸入驗證錯誤發起 Buffer overflow 攻擊。
References
[1] T. Husted et al. Struts in Action: Building Web Applications with the Leading Java Framework Manning Publications
[2] The Struts2 Validation Framework The Apache Foundation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 1173
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.struts2_undeclared_validator

Struts 2: Unvalidated Action

Abstract
Struts2 Actions 會使用 Struts Validation 框架以防止由未經檢驗的輸入所造成的弱點。
Explanation
在 J2EE 應用程式中,未經檢查的輸入是弱點產生的主因。未經檢查的輸入資料會導致許多弱點的產生,包括 Cross-Site Scripting、Process Control 和 SQL injection。雖然 J2EE 應用程式在通常情況下不容易因記憶體損壞攻擊而受到影響,但是如果 J2EE 應用程式連接到未執行陣列界限檢查的本地程式碼,攻擊者就能夠在 J2EE 應用程式中利用輸入驗證錯誤發起 Buffer overflow 攻擊。

為了避免此類攻擊,應在應用程式處理輸入資料之前使用 Struts Validation 框架來檢查所有程式的輸入資料。使用 Fortify Static Code Analyzer 來確保 Struts Validator 的配置不存在任何弱點。

驗證器的範例用法包括進行檢查並確保:

- 在電話號碼欄位中只包含電話號碼的有效字元

- Boolean 值只有「T」或者「F」

- 未限定格式的字串必須有合理的長度,並且由有效的字元組成
References
[1] T. Husted et al. Struts in Action: Building Web Applications with the Leading Java Framework Manning Publications
[2] The Struts Project The Apache Foundation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 1173
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.java.struts2_unvalidated_action

Struts 2: Validation File Without Action

Abstract
找到 Struts2 Validation 檔案,但沒有相對應的 Struts2 Action。
Explanation
找到一個 Struts2 Validation 檔案但沒有相符的 Struts2 Action。對每個 ActionClass 而言,Struts2 會搜尋相對應的 ActionClass-validation.xml 中必要的驗證限制。在此案例中,在 ActionClass-validation.xml 表單中找到一個驗證檔案,但是 ActionClass 不符合 Struts2 組態設定檔案中定義的 Action。

當開發人員移除或重新命名操作表單對應後,很容易忘記去更新驗證邏輯。存在 Unused Validation Form,是驗證邏輯未受到適當維護的一個跡象。
References
[1] The Struts2 Validation Framework The Apache Foundation
[2] Standards Mapping - Common Weakness Enumeration CWE ID 1173
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[10] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.struts2_validation_file_without_action

Struts 2: Validator Without Action Field

Abstract
對不存在的動作欄位定義 Struts2 Validator。
Explanation
Struts2 Validator 定義參照不存在的動作欄位。

當開發人員移除或重新命名操作表單對應後,很容易忘記去更新驗證邏輯。存在落單驗證器定義,是驗證邏輯未受到適當維護的一個跡象。
References
[1] T. Husted et al. Struts in Action: Building Web Applications with the Leading Java Framework Manning Publications
[2] The Struts2 Validation Framework The Apache Foundation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 105
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 CM
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[10] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[11] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.struts2_validator_without_action_field

Struts Misconfiguration: Duplicate Form Bean

Abstract
有多個 form-bean 項目使用相同名稱。相同的 form-bean 名稱通常表示沒有被除錯的程式碼或拼字錯誤。
Explanation
相同的 form-bean 名稱並沒有意義,因為相同的名稱在多個 <form-bean> 標籤中使用,只會註冊最後一項項目。

範例 1:以下組態擁有兩個名稱相同的 form-bean 項目。

<form-beans>
  <form-bean name="loginForm" type="org.apache.struts.validator.DynaValidatorForm">
    <form-property name="name" type="java.lang.String" />
    <form-property name="password" type="java.lang.String" />
  </form-bean>
  <form-bean name="loginForm" type="org.apache.struts.validator.DynaActionForm">
    <form-property name="favoriteColor" type="java.lang.String" />
  </form-bean>
</form-beans>
References
[1] Apache Struts 1.3 Specification
[2] Standards Mapping - Common Weakness Enumeration CWE ID 694
[3] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[4] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[5] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[6] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[7] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[8] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[9] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
desc.config.java.struts_misconfiguration_duplicate_form_bean

Struts Misconfiguration: Invalid Path

Abstract
無效路徑項目可能讓 Struts 找不到服務要求所需的正確資源位置。
Explanation
Struts 使用 path 屬性來尋找處理要求所需的資源。因為路徑為相對模式的位置,如果路徑不是以「/」字元開頭則視為錯誤。

範例 1:以下組態包含空白路徑。

<global-exceptions>
  <exception key="global.error.invalidLogin" path="" scope="request" type="InvalidLoginException" />
</global-exceptions>
範例 2:以下組態使用不是以「/」字元開頭的路徑。

<global-forwards>
  <forward name="login" path="Login.jsp" />
</global-forwards>
References
[1] Apache Struts Specification
[2] Chuck Caveness, Brian Keeton
[3] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[4] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[5] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[6] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[7] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
desc.config.java.struts_misconfiguration_invalid_path

Struts Misconfiguration: Missing Action Input

Abstract
省略可傳回驗證錯誤的已命名 Struts Action 的 input 屬性視為錯誤。
Explanation
每當已命名動作傳回驗證錯誤[2]時,Struts 規格就會要求 input 屬性。發生驗證錯誤時,input 屬性會指定顯示錯誤訊息的頁面。
範例 1:以下組態定義已命名的驗證作業動作,但並未指定 input 屬性。

<action-mappings>
  <action   path="/Login"
            type="com.LoginAction"
            name="LoginForm"
            scope="request"
            validate="true" />
</action-mappings>
References
[1] Apache Struts Specification
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[4] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[5] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[6] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[7] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
desc.config.java.struts_misconfiguration_missing_action_input

Struts Misconfiguration: Missing Exception Type

Abstract
不會使用不包含 type 屬性的 <exception>
Explanation
<exception> 標籤要求定義例外類型。缺少或空白的 type 屬性表示有多餘的異常處理器或是意外的省略。如果開發人員想要處理異常,但忘記定義異常類型,應用程式就可能洩露系統的敏感資訊。
範例 1:以下組態省略 <exception> 標籤的類型。

  <global-exceptions>
    <exception
      key="error.key"
      handler="com.mybank.ExceptionHandler"/>
  </global-exceptions>
References
[1] Apache Struts Specification
[2] Standards Mapping - Common Weakness Enumeration CWE ID 248
[3] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[4] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[5] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[6] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[7] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[8] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
desc.config.java.struts_misconfiguration_missing_exception_type

Struts Misconfiguration: Missing Form Bean

Abstract
指向不存在 form-bean 的 Struts action 將無法正確對應。
Explanation
Struts 使用 form-bean 項目進行 HTML 型式與動作的對應。如果 <action> 標籤中的 name 屬性無法與 form-bean 的名稱對應,就無法對應該動作,並且表示該項目為不必要的定義或拼字錯誤。

範例 1:以下組態不包含 bean2 的對應。

<form-beans>
  <form-bean name="bean1" type="coreservlets.UserFormBean" />
</form-beans>

<action-mappings>
  <action path="/actions/register1" type="coreservlets.RegisterAction1" name="bean1" scope="request" />
  <action path="/actions/register2" type="coreservlets.RegisterAction2" name="bean2" scope="request" />
</action-mappings>
References
[1] Apache Struts 1.3 Specification
[2] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[3] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[4] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[5] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[6] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[7] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[8] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
desc.config.java.struts_misconfiguration_missing_form_bean

Struts Misconfiguration: Missing Form Bean Name

Abstract
不會使用沒有 name 屬性的 form-bean
Explanation
Struts 使用 form-bean 名稱進行 HTML 型式與動作的對應。如果 form-bean 沒有名稱,就無法對應至動作,這表示該項目為不必要的定義或是意外省略的 Bean。
此為正確的 Form-Bean 範例:
範例 1:以下 form-bean 有一項空的 name 屬性。

<form-beans>
  <form-bean name="" type="org.apache.struts.validator.DynaValidatorForm">
    <form-property name="name" type="java.lang.String" />
    <form-property name="password" type="java.lang.String" />
  </form-bean>
</form-beans>
References
[1] Apache Struts 1.3 Specification
[2] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[3] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[4] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[5] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
desc.config.java.struts_misconfiguration_missing_form_bean_name

Struts Misconfiguration: Missing Form Bean Type

Abstract
沒有 type 屬性的 form-bean 將無法正確對應。
Explanation
Struts 使用 form-bean 項目進行 HTML 型式與動作的對應。如果 form-bean 沒有類型,就無法對應至動作。
範例 1:以下 form-bean 有一項空的 type 屬性。

<form-beans>
  <form-bean name="loginForm" type="">
    <form-property name="name" type="java.lang.String" />
    <form-property name="password" type="java.lang.String" />
  </form-bean>
</form-beans>
References
[1] Apache Struts 1.3 Specification
[2] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[3] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[4] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[5] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
desc.config.java.struts_misconfiguration_missing_form_bean_type

Struts Misconfiguration: Missing Form Property Type

Abstract
定義不包含 type 類型屬性的 form-property 視為錯誤。
Explanation
Struts 要求 <form-property> 標籤必須包括 type 屬性。處理定義沒有類型的 form-property 的表單時,Struts 將會拋出異常。

範例 1:以下組態省略 name 屬性的類型。

<form-bean name="loginForm" type="org.apache.struts.validator.DynaValidatorForm">
  <form-property name="name" />
  <form-property name="password" type="java.lang.String" />
</form-bean>
References
[1] Apache Struts 1.3 Specification
[2] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[3] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[4] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[5] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
desc.config.java.struts_misconfiguration_missing_form_property_type

Struts Misconfiguration: Missing Forward Name

Abstract
沒有 name 屬性的 <forward> 標籤通常表示 leftover debug code 或拼字錯誤。
Explanation
<forward> 標籤必須有 namepath 屬性。沒有名稱的話,就永遠不會使用 forward

範例 1:以下 <forward> 標籤有一項空的 name 屬性。

    <forward name="" path="/results.jsp"/>
References
[1] Apache Struts 1.3 Specification
[2] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[3] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[4] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[5] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[6] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
desc.config.java.struts_misconfiguration_missing_forward_name

Struts Misconfiguration: Missing Forward Path

Abstract
沒有 path 屬性的 <forward> 標籤通常表示 leftover debug code 或拼字錯誤。
Explanation
<forward> 標籤必須有 namepath 屬性。省略路徑或指定一個空白路徑皆視為錯誤。此外,所有路徑都必需以「/」字元開頭。

範例 1:以下 <forward> 標籤缺少 path 屬性。

    <forward name="success" />
References
[1] Apache Struts 1.3 Specification
[2] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[3] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[4] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[5] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[6] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
desc.config.java.struts_misconfiguration_missing_forward_path

Struts: Duplicate Validation Forms

Abstract
有多個同名的驗證表單表示驗證邏輯已經過時了。
Explanation
如果兩個驗證表單具有相同的名稱,Struts Validator 會任意選擇一個表單來進行輸入驗證,而放棄另外一個。這可能不是程式設計師所期望的。而且,這表示沒有維護驗證邏輯,並表示可能存在其他未察覺的驗證錯誤。

範例 1:具有相同名稱的兩個驗證表單。


<form-validation>
    <formset>
        <form name="ProjectForm">
        ...
        </form>
        <form name="ProjectForm">
        ...
        </form>
    </formset>
</form-validation>


維護驗證邏輯,並與應用程式的其他部分保持同步化是非常重要的。未經檢查的輸入是導致目前最糟糕、最常見的軟體安全問題的根源。Cross-site scripting、SQL injection 和 process control 的弱點是由於缺少輸入驗證或輸入驗證不完整而造成的。雖然 J2EE 應用程式在通常情況下不容易因記憶體損壞攻擊而受到影響,但是如果 J2EE 應用程式連接到未執行陣列界限檢查的本地程式碼,攻擊者就能夠在 J2EE 應用程式中利用輸入驗證錯誤發起 Buffer overflow 攻擊。
References
[1] T. Husted et al. Struts in Action: Building Web Applications with the Leading Java Framework Manning Publications
[2] The Struts project The Apache Foundation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 102
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[11] Standards Mapping - FIPS200 CM
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[17] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.struts_duplicate_validate_forms

Struts: Erroneous validate() Method

Abstract
驗證器表單定義的 validate() 方法,無法呼叫 super.validate()
Explanation
Struts Validator 使用表單的 validate() 方法,對照那些在相關驗證表單中定義的約束來檢查表單屬性的內容。這表示以下這些類別擁有一個 validate() 方法,該方法是屬於驗證框架的一部分:


    ValidatorForm
    ValidatorActionForm
    DynaValidatorForm
    DynaValidatorActionForm


如果您要建立一個由以上類別所延伸的類別,且您的類別覆蓋了 validate() 方法而執行自訂的驗證邏輯,則您必須在 validate() 執行中呼叫 super.validate()。如果您不這麼做,驗證框架就不能對照驗證表單驗證表單中的內容。也就是說,會針對該提供的表單而停用驗證框架。

對表單來說,停用驗證框架會使應用程式暴露在各種的攻擊之下。未經驗證的輸入是導致各種弱點的根源,如 cross-site scripting、process control 和 SQL injection。雖然 J2EE 應用程式在通常情況下不容易因損壞記憶體而受到影響,但是如果 J2EE 應用程式連接到未執行陣列界線檢查的本地程式碼,攻擊者就能夠在 J2EE 應用程式中利用輸入驗證錯誤發起 Buffer overflow 攻擊。
References
[1] T. Husted et al. Struts in Action: Building Web Applications with the Leading Java Framework Manning Publications
[2] The Struts project The Apache Foundation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 103
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
desc.structural.java.struts_erroneous_validate_method