How to test EL have security issue with struts2 OGNL

Question

i have one more issue related to JSP EL and security problem how to test this issue (JSP Expressions are not allowed in the Struts 2 Tag Libs because of security concerns allowing hackers to use JSP EL to inject OGNL into the tags to do bad things) i have done lots of search not not able to create such test case. Please if you have any sample test or thought please suggest

Answer 1

As of Struts version 2.0.9 the JSTL/JSP expression language (EL) has been disabled for Struts tag attributes which evaluate OGNL. This is a precaution against security vulnerabilities that can result from the double-evaluation that occurs when an attribute is first processed as a JSTL/JSP EL expression and then the result is processed as an OGNL expression. The solution is to express all dynamic attribute values in Struts tags using OGNL expressions directly.

http://struts.apache.org/release/2.2.x/docs/why-cant-i-use-jstl-style-el-expressions-in-struts-tags.html

This type of injection doesn't work anymore. If you want to see how it used to work, then create a new copy of the .tld file for the Struts2 tags and enable EL evaluation for the attributes of various tags.

As indicated above, this was an exploit that took advantage of the fact that EL expressions are processed by the JSP/EL engine and OGNL expressions are evaluated after that inside the tag class.

For example, if the Struts2 tags allowed EL expressions, you could wind up with the following:

<s:text name="${someVar}"/>

Where someVar is a parameter set from the incoming request and it could evaluate to an arbitrary OGNL expression. Once the text tag is invoked, it evaluates the OGNL expression, which may have unintended consequences.

There is a more in-depth example located in the JIRA ticket for this issue: https://issues.apache.org/jira/browse/WW-2107