Firewall rule by #fragment

Hello,

My site is being bombarded with requests like this one:

GET/index.action?debug=browser&object=(#[email protected]@DEFAULT_MEMBER_ACCESS)?(#context[#parameters.rpsobj[0]].getWriter().println(#context[#parameters.reqobj[0]].getRealPath(#parameters.pp[0]))):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command=Is-Struts2-Vul-URL&pp=/&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest

Those request are trying to exploit a vulnerability in the way OGNL expressions are being processed in Struts.

I’m trying to create a firewall rule to block them, without success. I suspect that it is because the code being injected appears as a #fragment part in the url and is not being filtered.

I’m right? Is there any way I can block those requests?

Thank you,

Senen

@senen the URI Fragment wouldn’t be sent to the origin they are used by the browser only.

You should be able to block this w/ Firewall Rules if it’s not already blocked by our WAF. Is this in reference to a specific CVE ?

Can I ask why the URI fragments aren’t being analyzed by the WAF?

I think this is the exploit they are using https://github.com/DengYiping/Struts2_devmode_exploit.

They are checking if I have dynamic method invocation enabled, I guess.

Fragments are used by the browser to reference content, they aren’t sent to the webserver (or Cloudflare) w/ the request for the content. It’s possible they are sending similar character pattern.

We have a lot of rules in CF Managed ruleset that cover a variety of strutts vulnerabilities. Do you have these enabled already ?

Apache-Struts-managed-rules957×948 91.3 KB

This topic was automatically closed after 30 days. New replies are no longer allowed.