For server validation to work, it is necessary invoke JSP at least once before submiting. An attacker could invoke action URL directly before JSP initialization, bypassing server validation.
Log in to post a comment.