Skip to content

We are Seeing Ongoing Struts 2 Attacks

We are Seeing Ongoing Struts 2 Attacks

If you’re running web applications on the Internet, then you’re almost certainly seeing probes for the Struts 2 vulnerability (CVE-2017-5638). These attacks started within hours of the vulnerability being released, and we continue to see widespread probes with dangerous payloads in the first request. They all look something like this…


This attack is extremely dangerous. The attacker is taking advantage of how Struts 2 handles malformed Content-Type headers. They are included in an error message that is evaluated as an OGNL expression. This gives any unauthenticated attacker the ability to run arbitrary code on your server. In this case, the underlying payload is written in Perl and downloaded from the Internet. An IRC channel is used for command and control. 

Contrast Security is just like you, and we are seeing these attacks against our servers too.  Since the announcement last month, we have been blocking attacks numerous times, every day, from places like Hong Kong, Shandong, Bangalore, and many other places around the world.

As I sit and watch these attacks happening, I can’t help but feel all warm and cozy inside. Contrast automatically detects and blocks attacks like Struts 2 and other vulnerabilities in open source components. Contrast also blocks bots, manual attacks, even attacks against totally unknown vulnerabilities in your applications. 

I want to help you with your application security program. You don’t have to live with ‘solutions’ cobbled together from a variety of tools that are more work than they’re worth. There is no reason why you shouldn’t be able to instantly:

If you’d like to know more, let me know and we can talk.


Jeff Williams | Co-founder and CTO
Contrast Security
888.371.1333 | @planetlevel @contrastsec

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.