1. Homepage
  2. RvR
  3. Application
  4. Attack Vectors

General Information

Expression Language Injection

Variants:
Direct Persistent Session 

Vector Type:
Attack

Relevance:
Technology Specific

Layer:
Application-Level

Platforms:
Spring Framework - Java

Target Type:
Web Application

Affected Mechanisms:
Input Validation, Syntax Escaping, Secure Design

Invented In:
12/09/2011

Added In:
31/12/2014


Vector Operation Method:
Malicious inputs can affect the server-side Spring EL interpreter to execute attacker controlled code in the context of the application. The vulnerability may exists in applications based on Java Spring Framework versions 3.0.0 - 3.0.5, and in Java Spring Applications that make use of programmatic EL syntax evaluation classes.


Direct Variant:

EL Injection

Variant Title:
EL Injection

Typical Severity:
Critical

Resources:

CWE

OWASP Attacks

Other I

Other II

Other III

White Papers:

Paper I

Learn More:


Persistent Variant:

Stored EL Injection

Also Known As:
Persistent EL Injection

Typical Severity:
Critical

Resources:

White Papers:

Learn More:


Session Variant:

EL Injection via Session Puzzling

Also Known As:
Session EL Injection

Typical Severity:
Critical

Resources:

White Papers:

Learn More:




TECAPI ©

Join