Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apache Struts S2-20 classLoader manipulation improvement #17

Open
adracea opened this issue Nov 7, 2017 · 1 comment
Open

Apache Struts S2-20 classLoader manipulation improvement #17

adracea opened this issue Nov 7, 2017 · 1 comment

Comments

@adracea
Copy link

adracea commented Nov 7, 2017

J2EEScan scans for Struts class loader manipulation ( https://github.com/ilmila/J2EEScan/blob/master/src/main/java/burp/j2ee/issues/impl/ApacheStrutsS2020.java ) with the type of payload engineered AFTER the first fix which is Class.classLoader Ex:
Class.classLoader.URLs[0]=testClassloaderManipulation1509723031
During testing I've seen that most of the times this payload will not trigger anything/any reaction , but the original one , class.classLoader would . I did class.classLoader.classAssertionStatus=test , this , in turn , would either generate a beanutils error regarding the fact that classAssertionStatus has no setter or give a 404 in the response. J2EEScan didn't detect anything wrong with the application even though it was vulnerable to this issue .

My suggestion is the following : Adding class.classLoader and class['classLoader'] to the list of payloads for S2-20 scanning . I really think that this will improve the detection of this issue !
There is also a pretty well explained list of payload for struts vulns here :
https://github.com/lanjelot/kb/blob/master/struts

@ilmila
Copy link
Owner

ilmila commented Nov 7, 2017 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants