Apache Struts and Equifax: real life consequences
9/14/2017 Update: The Apache Struts vulnerability discussed in this blog was found to be the flaw that led to the Equifax data breach. While hacking games are fun, it’s a reminder that legitimate applications have these vulnerabilities, with real-life consequences and extremely high stakes. For more details on the Apache Struts vulnerability and a hackathon where we used it to own an application server, continue reading.
A few weeks ago my friend (1) and I attended a hackathon sponsored by a local ISSA chapter (2). The hackathon was a hands-on event where participants learned about common web application vulnerabilities in a fun, gamified environment. The technical platform for this hackathon was provided by Security Innovation (3).
At the end of the event, the two of us finished first and second, with nearly half of the available points each. Security Innovation, however, graciously kept the game open for a few more days to give the participants an opportunity to continue to play and learn.
We used this opportunity to find and exploit more vulnerabilities in the application, and ultimately discover the one that allowed us to completely own the application server.continue reading...