Struts 2 Must Die - The Life and Inevitable Death of Java’s Spaghettiest Framework

Dive into a critical analysis of the Struts 2 Java framework in this 20-minute conference talk from OWASP Global AppSec Tel Aviv. Explore the evolution of Struts 2 from a modern framework to a security liability, examining its architectural flaws and the challenges of removing it from production environments. Investigate the OGNL swamp, follow the cat-and-mouse game between developers and security researchers, and uncover the prerequisites for exploiting the framework. Learn about Struts vulnerabilities, injection points, and payload construction. Understand why applications initially appear safe and the implications for security teams. Gain valuable insights into application security and the importance of framework evaluation from Eugene Rojavski, an experienced Application Security Researcher at Checkmarx.

Intro
Why is struts so explosive
Struts vulnerabilities
Struts evaluation
View with Struts
GetValue method
GetValue class
The injection point
Single vs Double
Single Injection
Double Injection
GetText
FirstPayload
Dynamic constructor
Blacklist
Default Member Access
Check if application is vulnerable
Why this starts safe
What does this mean
Take home message
Conclusion