Struts 2 development mode

Description
  • Struts 2 has a setting (which can be set to true or false in struts.properties) called devMode (= development mode). When this setting is enabled, Struts 2 will provide additional logging and debug information, which can significantly speed up development. <br/><br/> The development mode flag enables an OGNL injection backdoor allowing the developers to check their Value Stacks with ease and from a handy OGNL console or request parameter. This handy feature for developers turns into a security nightmare if application is released into production servers with this flag on.
Remediation
  • Struts 2 development mode should be disabled on production servers.
References