Apache Struts - OGNL Console

What is the "Apache Struts - OGNL Console" module?

The "Apache Struts - OGNL Console" module is a test case designed to detect the presence of the OGNL console in Apache Struts. This console allows the evaluation of OGNL expressions that could potentially lead to Remote Command Execution. The module is created by DhiyaneshDK and has an informative severity level.

Impact

If the OGNL console is accessible, it poses a significant security risk as it can be exploited to execute remote commands on the server. This can lead to unauthorized access, data breaches, and potential compromise of the entire system.

How does the module work?

The module sends an HTTP GET request to the "/struts/webconsole.html?debug=console" path. It then applies two matching conditions to determine if the OGNL console is present:

- The response body must contain the phrase "Welcome to the OGNL console!" - The response status code must be 200 (OK)

If both conditions are met, the module reports a vulnerability, indicating that the OGNL console is accessible and poses a potential security risk.

Reference:

- https://github.com/PortSwigger/j2ee-scan/blob/master/src/main/java/burp/j2ee/issues/impl/ApacheStrutsWebConsole.java

Remediation:

Restrict access to the OGNL console to authorized users only to mitigate the risk of remote command execution.