Jump to content
Sign in to follow this  

Exploiting OGNL Injection in Apache Struts

Recommended Posts

Exploiting OGNL Injection in Apache Struts

Mar 14, 2019 • Ionut Popescu




Let’s understand how OGNL Injection works in Apache Struts. We’ll exemplify with two critical vulnerabilities in Struts: CVE-2017-5638 (Equifax breach) and CVE-2018-11776.

Apache Struts is a free, open-source framework for creating elegant, modern Java web applications. It has its share of critical vulnerabilities, with one of its features, OGNL – Object-Graph Navigation Language, being at the core of many of them.

One such vulnerability (CVE-2017-5638) has facilitated the Equifax breach in 2017 that exposed personal information of more thann 145 million US citizens. Despite being a company with over 3 billion dollars in annual revenue, it was hacked via a known vulnerability in the Apache Struts model-view-controller (MVC) framework.

This article offers a light introduction into Apache Struts, then it will guide you through modifying a simple application, the use of OGNL, and exploiting it. Next, it will dive into some public exploits targeting the platform and using OGNL Injection flaws to understand this class of vulnerabilities.

Even if Java developers are familiar with Apache Struts, the same is often not true in the security community. That is why we have created this blog post.


Feel free to use the menu below to skip to the section of interest.

  1. Install Apache Tomcat server (Getting started)
  2. Get familiar with how Java apps work on a server (Web Server Basics)
  3. A look at a Struts app (Struts application example)
  4. Expression Language Injection (Expression Language injection)
  5. Understanding OGNL injection (Object-Graph Navigation Language injection)
  6. CVE-2017-5638 root cause (CVE-2017-5638 root cause)
  7. CVE-2018-11776 root cause (CVE-2018-11776 root cause)
  8. Explanation of the OGNL injection payloads (Understanding OGNL injection payloads)


Articol complet: https://pentest-tools.com/blog/exploiting-ognl-injection-in-apache-struts/

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Create New...