Struts DevMode

Struts DevMode is a development feature in Apache Struts that, when enabled in production, exposes detailed error information and OGNL evaluation capabilities that can lead to remote code execution.

DevMode Features

• Detailed stack traces in responses
• Debug console access
• OGNL expression evaluation
• Configuration reload without restart

Vulnerability Impact

# With devMode=true, error pages may allow OGNL injection
# Or debug parameters can evaluate expressions

# Request with OGNL payload:
?debug=command&expression=%23rt=@java.lang.Runtime@getRuntime(),%23rt.exec('whoami')

# Results in command execution

Detection

# Check struts.xml or struts.properties
<constant name="struts.devMode" value="true"/>

# Or in web.xml
struts.devMode = true

# Signs in responses:
- Detailed Java stack traces
- OGNL expression errors
- Debug information

Configuration

# struts.xml - NEVER enable in production
<constant name="struts.devMode" value="false"/>

# Or in struts.properties
struts.devMode=false

Related Vulnerabilities

Many critical Struts CVEs (like CVE-2017-5638) are related to OGNL injection. DevMode compounds the risk by exposing additional evaluation vectors.

See Also

• OGNL Injection
• Expression Language Injection