CWE-103 Struts Incomplete validate() Method
What this means
SiteShadow flagged incomplete or missing server-side validation. The CWE name references Struts' validate() method, but the core risk applies to any app where validation exists but doesn't actually cover all fields, edge cases, or dangerous inputs.
Why it matters
Missing validation allows unsafe input to pass through.
- Bypass via unvalidated fields: attackers use the field you forgot to validate.
- Edge-case bypasses: validation covers "normal" inputs but not encodings/lengths/empty/null cases.
- Downstream vulnerabilities: unsafe values reach injection sinks, filesystem, redirects, or auth decisions.
Safer examples
1) Validate the full shape, not just a couple fields
Use schema validation so "extra" or missing fields are rejected (see CWE-20).
2) Canonicalize and validate consistently
Decode/normalize once, then validate the canonical form (see CWE-116 / CWE-436).
3) Add abuse-case tests for validation
Test long strings, weird encodings, null/empty values, and known bypass payloads so validation stays complete over time.
How SiteShadow detects it (high level)
- Detects validators that only check a subset of fields or only check superficial properties.
- Flags flows where unvalidated fields reach sensitive sinks or security decisions.
References
- CWE-103: https://cwe.mitre.org/data/definitions/103.html
---