Over a million developers have joined DZone.

Was Struts Responsible for Apple's Security Breach?

DZone's Guide to

Was Struts Responsible for Apple's Security Breach?

· Java Zone
Free Resource

Learn how to stop testing everything every sprint and only test the code you’ve changed. Brought to you by Parasoft.

Better get updating your Struts applications! A recent security vulnerability discovered in Struts could have been responsible for the recent hack on Apple's Developer portal. 

The description of the vulnerability states 

The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.

In Struts 2 before the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code. 

The timing seems to fit, as observed by czhiddy on HackerNews:

 Struts was released on 7/16/13, and developer.apple.com went down on 7/18/13 for "maintenance". Plenty of time for an enterprising black hat to notice and exploit the vulnerability.

Get the top tips for Java developers and best practices to overcome common challenges. Brought to you by Parasoft.


Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}