Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Apache Struts is a MVC framework for building Java-based web applications.

Struts uses the Java Servlet API to provide a Controller (C in MVC) called Actions defined in an XML configuration file. They are accessed in the following way: http://server:port/path/.action, where <action> is replaced with an action name. The .action is only by convention and some services uses ".do".

Struts also supports the use of Object Graph Navigational Language (OGNL) expressions to dynamically generate templated .jsp files. OGNL is a special Expression Language (EL) that is used in Java.

When using templating, there are many 'gotchas' in terms of security. The one described in the article is known as double evaluation because of an improper templating type being used.

This double evaluation is important because instead of only substituting the variable, the variable is substituted then executed! OGNL has access to a plethora of Java gadgets that eventually lead to code execution. The issue is using %{...} or ${...} in an unsafe way.

This Apache struts vulnerability was patched in the most recent version but ensuring proper validation of each value that is coming in. However, the root cause of using the templating in the wrong way is still there; looks like there are more bugs to be found here!