Expression Language Injection


Expression Language (EL) Injection happens when attacker controlled data enters an EL interpreter. With EL implementations prior to 2.2, attacker can recover sensitive server side information available through implicit objects.This includes model objects, beans, session scope, application scope, etc.The EL 2.2 spec allows method invocation, which permits an attacker to execute arbitrary code within context of the application.This can manipulate application functionality, expose sensitive data, and branch out into system code access– posing a risk of server compromise. A specific pattern exists in certain version of the Spring Framework, where Spring JSP tags will double resolve EL.In versions prior to 3.0 .6, it is not possible to disable this functionality, and the pattern must be avoided.

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable Web App ScanningWeb ApplicationsAuthenticated ScanHTTP/HTTPSExpression Language InjectionPlugin ID: 113317


Expression Language Injection

Attack Path Technique Details

Framework: OWASP

Family: Injection

Platform: Web Application

Products Required: Tenable Web App Scanning

Tenable Release Date: 2022 Q2