Why Is Apache Struts So Vulnerable?

Apache Struts is a well-known development framework for Java-based web applications and is mostly used in enterprise environments. If you search for Apache Struts CVEs on MITRE, you currently get 77 results, and most of the critical ones are due to OGNL expression injection, which is very similar to SSTI (Server Side Template Injection) attacks.

In this article, we will briefly go through the security history of Apache Struts, common Apache Struts security issues, and the impact of these vulnerabilities.

Recent History of Apache Struts

Apache Struts has a rough security history with many critical vulnerabilities, and because of these, the infamous Equifax hack was made possible since CVE-2017-5638 was mainly used to get a hold of millions of records of creditholders’ data. Apache Struts has not only suffered from OGNL expression injection vulnerabilities but also deserialization.

Deserialization Vulnerabilities

Deserialization is the opposite of serialization, which is converting data structured from one format and rebuilding it into an object (read more here). JSON and XML are examples of data formats for serializing. Java has a long history of deserialization bugs, and Oracle has even said that they have plans to remove it due to the security implications.

OGNL Expression Injection

Object-Graph Navigation Language (OGNL) is an expression language for handling Java objects. When an OGNL expression injection vulnerability is present, it is possible for the attacker to inject OGNL expressions. These expressions can execute arbitrary Java code.

Searching for this vulnerability in a black box environment is easy and can have the same approach as searching for SSTI vulnerabilities. We can inject OGNL expressions in all user supplied data fields and see if we get any response back indicating that the expression has been handled and executed on the server.

If you're looking for a proof of concept, check out the video below:

An example of an expression to use could be as simple as: foobar%{191*7} where %{191*7}is the expression. The output from this would be 1337. These expressions can, of course, be something other than just mathematical, but this is a way to easily detect the vulnerability.