Description
Expression Language Injection (EL Injection) is a critical vulnerability that occurs when user inputs are used to construct dynamic expressions in web applications without proper validation. Attackers exploit EL Injection to modify server-side expressions, potentially extracting sensitive information or executing commands on the server.
Recommendation
To mitigate EL Injection, avoid constructing expressions directly from user inputs. If using the Spring Framework, disable double resolution functionality. Additionally, for templating engines, refrain from using user inputs to build templates.
References
Related Issues
- WordPress Plugin Jetpack SQLI - CVE-2011-4673
- Apache Expect Header Cross Site Scripting - CVE-2006-3918
- Apache Struts 2 Forced double OGNL evaluation S2-059 - CVE-2019-0230
- Apache Struts 2 RCE S2-045 - CVE-2017-5638
- Tags:
- EL Injection
- Template Injection
- Injection
Anything's wrong? Let us know Last updated on May 13, 2024