CWE-103 Struts Incomplete validate() Method
Coverage: 2 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 2 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged incomplete or missing server-side validation. The CWE name references Struts' validate() method, but the core risk applies to any app where validation exists but doesn't actually cover all fields, edge cases, or dangerous inputs.
Why it matters
Missing validation allows unsafe input to pass through.
- Bypass via unvalidated fields: attackers use the field you forgot to validate.
- Edge-case bypasses: validation covers "normal" inputs but not encodings/lengths/empty/null cases.
- Downstream vulnerabilities: unsafe values reach injection sinks, filesystem, redirects, or auth decisions.
Safer examples
1) Validate the full shape, not just a couple fields
Use schema validation so "extra" or missing fields are rejected (see CWE-20).
2) Canonicalize and validate consistently
Decode/normalize once, then validate the canonical form (see CWE-116 / CWE-436).
3) Add abuse-case tests for validation
Test long strings, weird encodings, null/empty values, and known bypass payloads so validation stays complete over time.
How SiteShadow detects it (high level)
- Detects validators that only check a subset of fields or only check superficial properties.
- Flags flows where unvalidated fields reach sensitive sinks or security decisions.
References
- CWE-103: https://cwe.mitre.org/data/definitions/103.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.