Detect abuse of parameterInterceptor / Zero-Day issue?

[rgm <rg...@rgm.nu>]

I'd like to begin monitoring the server's request log and system logs to be
able to detect abuse of today's 0-day, if possible.  Is it possible to
search for GET requests or Struts log statements to determine if this issue
is being exploited?

Antwort: Detect abuse of parameterInterceptor / Zero-Day issue?

[Christoph Nenning <Ch...@lex-com.net>]

> 
> I'd like to begin monitoring the server's request log and system logs to 
be
> able to detect abuse of today's 0-day, if possible.  Is it possible to
> search for GET requests or Struts log statements to determine if this 
issue
> is being exploited?



As far as I see it the problem are specific OGNL expressions in paramter 
names (GET and POST).

You can try to search for parameter names in containing "class" to see 
requests that might try to abuse this.

If you use a web server in front of your application server you might 
search that logs.


regards,
Christoph

This Email was scanned by Sophos Anti Virus

Re: Detect abuse of parameterInterceptor / Zero-Day issue?

[Lukasz Lenart <lu...@apache.org>]

You will get WARN in devMode or DEBUG log entry from
ParametersInterceptor or you can use access_log from Apache - it all
depends on setup of your application.

2014-04-24 20:25 GMT+02:00 rgm <rg...@rgm.nu>:
> I'd like to begin monitoring the server's request log and system logs to be
> able to detect abuse of today's 0-day, if possible.  Is it possible to
> search for GET requests or Struts log statements to determine if this issue
> is being exploited?

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org