#1 Vulnerability in HDIV struts2 showcase

[Andres Riancho]

I just found a way to exploit a permanent cross site scripting in the HDIV struts2 showcase application.

1- Install struts2-showcase-2.0.11.war
2- Click on "Person Manager"
3- Click on "Create Person"
4- Add a person with name "andres" and last name "riancho<script>alert(2)</script>".
5- Click on "List people"
6- A pop-up with a number 2 should appear.

Editable data is also important ;)

Andrés Riancho
http://www.bonsai-sec.com/

[Pixel Isaac]

I have tried the step you mentioned and discovered it is due to the configuration. You will need to add extra entry key in "hdiv-validations.xml" to monitor that specific path. For example,

<entry key=".*/person/.*.action">
<list>
<ref bean="safeText" />
<!-- Typical SQL Injection attack -->
<ref bean="SQLInjection" />
<!-- Simple XSS attack -->
<ref bean="simpleXSS" />
<!-- image XSS attack -->
<ref bean="imageXSS" />
<!-- script XSS attack -->
<ref bean="scriptXSS" />
</list>
</entry>

This is not a bug