Application Security Resources

Sub Text of Application Security Resources

Struts Error Message Cross Site Scripting

November 8, 2005

Tiny Url for this post:

Hacktics Research
By Irene Abezgauz – November 3rd, 2005
CVE: CVE-2005-3745 / BID: 15512


Struts is an open source framework for building web applications. The core of the Struts framework is a flexible control layer based on standard technologies such as Java Servlets, JavaBeans, resource bundles, and the Extensible Markup Language (XML). Struts can be used with different Java engines, such as WebLogic, TomCat, JRun, etc.


After identifying in Struts an error message echoing the path back to the user, Hacktics conducted research to identifyi a cross site scripting vulnerability in the implementation of this error on different application servers.

The Finding

When attempting to access a non existent Struts action URL, the struts infrastructure generates an error echoing the path of the requested action. The mechanism generating this error does not perform sufficient input validation nor perform HTML encoding of the output, thus exposing the system, in some environments, to a Cross Site Scripting attack.


Normal Struts action URLs take the format of: Normal Struts action URLs take the format of:
When accessing a non existing action, while maintaining the do suffix, such as:
The struts request handler processes the request, and generates a 400 Bad Request error. The body of the default erroneous response includes the following text:
Invalid path /NOASUCHACTION was requested
By replacing the non existent action with a script, Cross Site Scripting is possible.


The exploit is done by including any script (JavaScript/VBScript) between HTML SCRIPT tags. For instance: /struts-virdir/lt;script>alert(‘test’)lt;/script>.do
Vulnerable Versions
Struts 1.2.7 Running on WebLogic 8.1 SP4
Struts 1.2.7 Running on WebLogic 8.1 SP5
Struts 1.2.7 Running on Resin Web Server
Non-Vulnerable Versions
Struts Running on Apache Tomcat 5.5.9
Struts Running on Apache Tomcat 5.5.9


The Apache Struts group has been notified of this vulnerability on November 3rd, and has fixed the problem in the new Struts release (1.2.8). Upgrading to the new version will eliminate the threat. Alternatively, a work around is available on existing versions by configuring the web server to display custom error messages rather than the default ones.

Copyright Hacktics 2009 All right reserved

This post is also available in: Anglais

Learn more about Seeker

More Avis de sécurité