Xml Dev Mode Enabled
Description
Detects when Apache Struts development mode is enabled in configuration files. Development mode can expose sensitive debugging information and internal details that could be exploited by attackers in production environments.
Detection Strategy
• Scans XML configuration files for Struts constant tags
• Identifies constant elements where name='struts.devmode' and value='true'
• Reports a vulnerability when development mode is explicitly enabled through this configuration
Vulnerable code example
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE struts PUBLIC "-//Apache Software Foundation//DTD Struts Configuration 2.5//EN" "http://struts.apache.org/dtds/struts-2.5.dtd">
<struts>
<!-- Vulnerable: Debug mode exposes sensitive details and stack traces -->
<constant name="struts.devMode" value="true"/>
<package name="basic" extends="struts-default">
<action name="index">
<result>/index.jsp</result>...✅ Secure code example
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE struts PUBLIC "-//Apache Software Foundation//DTD Struts Configuration 2.5//EN" "http://struts.apache.org/dtds/struts-2.5.dtd">
<struts>
<!-- Security: Disable debug mode to prevent information disclosure -->
<constant name="struts.devMode" value="false"/>
<!-- Security: Enable CSRF protection -->
<constant name="struts.enable.DynamicMethodInvocation" value="false"/>...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.