Expression Language Injection

Impact: High


In programming languages, Expressions are constants, variables, operators, or functions that can perform actions and produce values. Web applications often use dynamic Expressions in their templates to create different pages easily. When user input is used in these dynamic Expressions and templates without proper validation, a malicious user can provide crafted inputs to change the server-side Expressions. This is called Expression Language Injection (aka EL Injection) or Template Injection. EL injections are serious vulnerabilities that allow attackers to extract pieces of information such as session tokens or execute commands on the remote server.


Try not to use user input to construct expressions. If you’re using Spring Framework, disable the double resolution functionality. If you’re using templating engines, avoid using user inputs for building templates.


Last updated on February 15, 2021

This issue is available in SmartScanner Professional

See Pricing