Expression language injection
Expression language injection definition
Expression language injection is a security vulnerability (weakness) where an attacker is able to insert malicious code into an application’s expression (programming) language. If the application doesn’t register it as malicious code, it may execute it. As a result, the attacker can gain unauthorized access, manipulate the data or do other harm. Expression language injection occurs when the application fails to properly validate and sanitize user input.
See also: code injection
Examples of expression language injection
- OGNL injection: The attacker injects malicious OGNL expressions to manipulate or execute unauthorized code in Java-based applications.
- EL injection: The attacker exploits the Expression Language (EL) used in JavaServer Pages (JSP) or JavaServer Faces (JSF) to execute arbitrary code or access sensitive data.
- MVEL injection: The attacker injects malicious MVEL (MVFLEX Expression Language) expressions to exploit vulnerabilities in applications using MVEL for dynamic evaluations.
- SpEL injection: The attacker exploits the Spring Expression Language (SpEL) used in Spring Framework to execute unintended commands or access unauthorized resources.
How expression language injection happens
- The application accepts user input or external data (e.g., form fields or query parameters) without properly validating it.
- An attacker identifies these input fields and injects malicious expressions (code) into them.
- The application processes the injected input without sufficient sanitization, treating it as legitimate code.
- The application executes the injected expressions, allowing the attacker to run their own commands or access sensitive data.
- This can result in modified database queries, accessing unauthorized information, or executing other harmful actions on the application or server.
How to prevent expression language injection
- Check what users input to detect malicious code.
- Use special techniques and parameters to keep user input separate from the database, so it can’t run any malicious code.
- Clean up and check user content before showing it in the app.
- Keep everything up to date (e.g., tools).