Detections
Analytics
Expression Language Injection
Description
Expression Language (EL) Injection happens when attacker controlled data enters an EL interpreter. With EL implementations prior to 2.2, attacker can recover sensitive server side information available through implicit objects.This includes model objects, beans, session scope, application scope, etc.The EL 2.2 spec allows method invocation, which permits an attacker to execute arbitrary code within context of the application.This can manipulate application functionality, expose sensitive data, and branch out into system code access– posing a risk of server compromise. A specific pattern exists in certain version of the Spring Framework, where Spring JSP tags will double resolve EL.In versions prior to 3.0 .6, it is not possible to disable this functionality, and the pattern must be avoided.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Web App Scanning | Web Applications | Authenticated Scan | HTTP/HTTPS | Expression Language Injection | Plugin ID: 113317 |
References
Attack Path Technique Details
Framework: OWASP
Family: Injection
Technique: Expression Language Injection
Sub-Technique: Expression Language Injection
Platform: Web Application
Products Required: Tenable Web App Scanning
Tenable Release Date: 2022 Q2