Expression Language Injection

Last revision (mm/dd/yy): //

Vulnerabilities Table of Contents

Description
Expression Language (EL) Injection happens when attacker controlled data enters an EL interpreter.

With EL implementations prior to 2.2, attacker can recover sensitive server side information available through implicit objects. This includes model objects, beans, session scope, application scope, etc. The EL 2.2 spec allows method invocation, which permits an attacker to execute arbitrary code within context of the application. This can manipulate application functionality, expose sensitive data, and branch out into system code access-- posing a risk of server compromise.

A specific pattern exists in certain version of the Spring Framework, where Spring JSP tags will double resolve EL. In versions prior to 3.0.6, it is not possible to disable this functionality, and the pattern must be avoided.

Risk Factors
TBD

Spring Message Tag
The Spring Message tag will double resolve Expression Language.

A common pattern of passing URL parameters to the message tag is:

Controller.java @RequestMapping(value="/") String index { if ( hasErrors ) { return "redirect:/error?msg=error.generic"; } else { return "index"; }   }

error.jsp 

A URL request to the above code of the form: ?msg=${param.test}&test=INJECTION

Will result in the string literal "INJECTION" being passed to the message tag. The application should respond with an exception like:

No message found under code 'INJECTION' for locale 'en_US'

Accordingly, the attacker could submit methods within the EL like: ?msg=${pageContext.request.getSession.setAttribute("admin",true)}

Related Attacks

 * Interpreter Injection

Related Vulnerabilities

 * Reflection injection
 * Injection problem

Related Controls
Avoid putting user data into an expression interpreter if possible. Otherwise, validate and/or encode the data to ensure it is not evaluated as expression language.
 * Input_Validation

In the case of Spring Framework, disable the double resolution functionality in versions 3.0.6 and above by placing the following configuration in the application web.xml.

 Spring Expression Language Support springJspExpressionSupport false 

Related Technical Impacts

 * Loss of accountability
 * Loss of availability
 * Loss of confidentiality
 * Loss of integrity