You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by rgm <rg...@rgm.nu> on 2014/04/24 20:25:21 UTC
Detect abuse of parameterInterceptor / Zero-Day issue?
I'd like to begin monitoring the server's request log and system logs to be
able to detect abuse of today's 0-day, if possible. Is it possible to
search for GET requests or Struts log statements to determine if this issue
is being exploited?
Antwort: Detect abuse of parameterInterceptor / Zero-Day issue?
Posted by Christoph Nenning <Ch...@lex-com.net>.
>
> I'd like to begin monitoring the server's request log and system logs to
be
> able to detect abuse of today's 0-day, if possible. Is it possible to
> search for GET requests or Struts log statements to determine if this
issue
> is being exploited?
As far as I see it the problem are specific OGNL expressions in paramter
names (GET and POST).
You can try to search for parameter names in containing "class" to see
requests that might try to abuse this.
If you use a web server in front of your application server you might
search that logs.
regards,
Christoph
This Email was scanned by Sophos Anti Virus
Re: Detect abuse of parameterInterceptor / Zero-Day issue?
Posted by Lukasz Lenart <lu...@apache.org>.
You will get WARN in devMode or DEBUG log entry from
ParametersInterceptor or you can use access_log from Apache - it all
depends on setup of your application.
2014-04-24 20:25 GMT+02:00 rgm <rg...@rgm.nu>:
> I'd like to begin monitoring the server's request log and system logs to be
> able to detect abuse of today's 0-day, if possible. Is it possible to
> search for GET requests or Struts log statements to determine if this issue
> is being exploited?
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org