Apache Struts Security Workshop

This workshop demonstrates how to exploit and backport security fixes (CVE-2024-53677) into Apache Struts using cherry-picking.

Prerequisites

Git
Java 8
Maven
Python 3

Instructions

1. Run Vulnerable Application

cd struts-vuln
mvn jetty:run

Verify the application at: http://localhost:8080

2. Exploit the Vulnerability

python exploit.py --url http://localhost:8080 --upload-file shell.jsp --destination ../exploit.jsp

Check exploit at: http://localhost:8080/exploit.jsp

3. Backport Security Fix

Clone Apache Struts separately:

git clone https://github.com/apache/struts.git
cd struts
git checkout -b patched-release STRUTS_2_3_33

Cherry-pick the commit fixing CVE-2024-53677:

git cherry-pick <commit-hash>
mvn clean install -DskipTests

Update your application's pom.xml to use the patched version (2.3.33-patched).

Rebuild the patched application:

cd ../struts-vuln
sed -i '' 's/2.3.33/2.3.33-patched/g' pom.xml
mvn clean package jetty:run

Test exploit again to verify it's resolved.

Repository Structure

struts-workshop/
├── struts (patched separately)
└── struts-vuln
    ├── src/
    ├── exploit.py
    └── pom.xml

Name		Name	Last commit message	Last commit date
Latest commit History 1 Commit
struts-vuln		struts-vuln
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

Apache Struts Security Workshop

Prerequisites

Instructions

1. Run Vulnerable Application

2. Exploit the Vulnerability

3. Backport Security Fix

Repository Structure

About

Uh oh!

Releases

Packages

Uh oh!

Languages

endorlabs/struts-workshop

Folders and files

Latest commit

History

Repository files navigation

Apache Struts Security Workshop

Prerequisites

Instructions

1. Run Vulnerable Application

2. Exploit the Vulnerability

3. Backport Security Fix

Repository Structure

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Languages

Packages