Commander Commander

Scanning an application using STRUTS 1

Good afternoon,

There is an application that is using STRUTS 1. While reviewing the Apache Struts policy I noticed a lot of STRUTS 2 vulnerabilities, but not much for STRUTS 1. I'm going to assume I'll need to write a custom policy for any STRUTS 1 vulnerabilities of which there are 5. What signatures do you suggest I should add to the existing Struts Apache policy to include the STRUTS 1 vulnerabilities?


1 Reply
Micro Focus Expert
Micro Focus Expert

You could open a copy of the Standard Policy with the Policy Manager and enable any checks that have "struts" in their Name, using the Search feature.

There are also the Custom Checks (wizard, simple checks) and the Custom Agents features to manually augment the attack policy with your own checks.

Be aware that for Custom Agents you will need to take the SDK extension (vsix) from the WebInspect folders and install it to Visual Studio 2017.  Your VS developer will then have access to Samples and once they have your desired attack functioning, then you can push it into WebInspect per the SDK extension documentation.

-- Habeas Data
Micro Focus Fortify Customers-Only Forums –
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.