Struts 2 Config Browser plugin enabled

Severity: Medium

Invicti detected that the web application is configured to use the Config Browser plugin. The Config Browser Plugin is a tool used to view the web application configuration at runtime. This plugin should be used only during development phase and access to it should be strictly restricted in production.


The Config Browser plugin is exposing sensitive information that could help an attacker to conduct further attacks.

Actions To Take#

The Config Browser plugin can be disabled by removing the .jar file (usually named struts2-config-browser-plugin-*.jar) from WEB-INF/lib directory.

Build your resistance to threats. And save hundreds of hours each month.

Get a demo See how it works