Expression Languages Injection (EL Injection) happens when an attacker can control, in part or whole, the data into the expression language. For example, Spring allows for the capabilities of an EL called Spring Expression Language (SpEL), which is a language that can support queries and can manipulate object graphs at runtime. The JavaServer Pages (JSP) expression language allows the accessing of a bean using syntax such as ${name} for a simple variable [1]. By an attacker controlling the EL syntax/query and injecting unsanitized data they can maliciously extract sensitive information or run arbitrary code in the context of the application.

Impact of EL Injection for Java

EL Injection is the capability of the queries generated for the EL language to be manipulated in part or in whole by an attacker. Spring EL (SpEL) as of 2.2 an attacker can extract sensitive information from the server by implicit objects. After SpEL 2.2 method invocation and arbitrary code execution can occur within the context of the application allowing for sensitive data exposure, system access and even the risk of the entire server being compromised.

Java Specific Examples of EL Injection

Consider the parameter “name” within index.xhtml

<li>Greeting: #(obj.bingo(request.getParameter('name')))</li>

Where the implementation handler:

public String bingo(String userInputName){
    ...
    ExpressionFactory ef = context.getApplication().getExpressionFactory();
    ELContext elContext = context.getELContext();
    ValueExpression vex = ef.createValueExpression(elContext, userInputName, String.class); // <--HERE!
    String result = (String) vex.getValue(elContext);
    return result;
    ...
}

What if we were then able to send payloads that exploit this vulnerability:

https://.../?name=${{ request }}

Or maybe even?

Payload: (On a windows system)
${"".getClass().forName("java.lang.Runtime").getMethods()[6].invoke("".getClass().forName("jav
a.lang.Runtime")).exec("calc.exe")}

Fixes for EL Injection in Java

Avoid using user-controlled data inside dynamically evaluated code.
Try to find safer alternatives for implementing functions/data that can not be manipulated to injection code into the server process.


If this is unavoidable, then the data should be validated.
Potential solutions include whitelisting acceptable values for specific application functions or only allow specific values in, e.g., only alphanumeric strings.

Want to check your projects for free?

References

OWASP: Expression Language Injection
Spring: What is Spring Expression Language (SpEL)
Exploit-DB: Remote Code Execution with EL Injection Vulnerabilities by Asif Durani
Minded Security: Expression Language Injection by Stefano Di Paola, Arshan Dabirsiaghi
Better Hacker: RCE in Hubspot with EL injection in HubL