Apache Struts is a well-known development framework for Java-based web applications that is mostly used in enterprise environments. If you search for Apache Struts CVEs on MITRE, you currently get 77 results, and most of the critical ones are due to OGNL expression injection, which is very similar to SSTI (Server Side Template Injection) attacks.
In this article we will go through the security history of Apache Struts, common Apache Struts security issues and the impact of these vulnerabilities.
Recent history of Apache Struts
Apache Struts have a rough security history with many critical vulnerabilities and because of these, the infamous Equifax hack was made possible as CVE-2017-5638 was mainly used to get hold of million records of creditholders’ data. Apache Struts have not only suffered from OGNL expression injection vulnerabilities, but also deserialization.
Deserialization vulnerabilities
Deserialization is the opposite of serialization; which is converting data structured from one format, and rebuilding it into an object (read more here). JSON and XML are examples of data formats for serializing. Java has a long history of deserialization bugs and Oracle has even said that they have plans to remove it due to the security implications.
OGNL expression injection
Object-Graph Navigation Language (OGNL) is an expression language for handling Java objects. When an OGNL expression injection vulnerability is present, it is possible for the attacker to inject OGNL expressions. These expressions can execute arbitrary Java code.
Searching for this vulnerability in a black box environment is easy, and have the same approach as searching for SSTI vulnerabilities. We can inject OGNL expressions in all user supplied data fields and see if we get any response back indicating that the expression has been handled and executed on the server.
Watch this Proof of Concept video to see how CVE-2o17-9791 can be exploited:
An example of an expression to use could be as simple as:
foobar%{191*7}
where %{191*7}is the expression. The output from this would be 1337. These expressions can of course be something other than just mathematical, but this is a way to easily detect the vulnerability.
How Detectify can help
Detectify has an ability to test against generic OGNL expression injections in Apache Struts, but also many of the known CVEs. Check your web applications against known Apache Struts vulnerabilities and more. Start your 14-day free trial today.