Expression language injection

Description

This script is possibly vulnerable to Expression Language Injection attacks.

To provide easy ways of outputting data from an object model that more closely resembles pure scripting languages, Expression Language (EL) was developed as part of JSTL (Java Server Pages Standard Tag Library).

JSP EL is a specification (JSR-245 and JSR 252 [2]) and there are many implementations:

  • JSP 2.0/2.1: Used by most recently built applications, and delivered as part of the JSTL.
  • Jakarta: An older EL implementation built by Apache.
  • OGNL: A powerful EL popularized by Struts2/WebWork.
  • MVEL: A general purpose EL usable for console applications.
  • SPEL: Springs custom EL for scripting (not used in JSPs).


  • Expression Language Injection occurs when user input is evaluated by a J2EE servers Expression Language resolvers, and a common opportunity for this vulnerability to occur today is with the usage of Spring JSP tags.

    Remediation

    Perform data validation best practice against untrusted input and to ensure that output encoding is applied when data arrives on the EL layer, so that no metacharacter is found by the interpreter within the user content before evaluation. The most obvious patterns to detect include ${ and #{, but it may be possible to encode or fragment this data.

    References