Expression Language Injection

high Web App Scanning Plugin ID 113317

Synopsis

Expression Language Injection

Description

Expression Language (EL) has been defined as part of the Java Server Pages Standard Tag Library (JSTL) in order to offer developers a simple way to output data from an object model. Starting from the JSP 2.0 specification, Expression Language has been made available within JSP pages, but it is also present in many implementations like :
- Apache Jakarta
- Object-Graph Navigation Language (OGNL) used by Struts and WebWork
- MVFLEX Expression Language (MVEL)
- Spring Expression Language (SPEL)

An Expression Language Injection (ELI) vulnerability exists when an application incorporates unsafe user-controlled inputs which are dynamically evaluated by an expression interpreter.

By injecting a specific payload depending on the expression interpreter used by the application, an attacker can leverage this vulnerability to gain access to sensitive information or to achieve remote code execution on the target server.

Solution

Developers should avoid evaluating expressions derived directly from untrusted user inputs to prevent malicious injections. If the application still requires this type of inputs, the user-supplied data should be strictly validated to avoid advanced expression injection by using an allowlist or filtering the usage of special characters.

See Also

https://mindedsecurity.com/wp-content/uploads/2020/10/ExpressionLanguageInjection.pdf

https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection

Plugin Details

Severity: High

ID: 113317

Type: remote

Family: Injection

Published: 8/8/2022

Updated: 7/6/2023

Scan Template: api, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 4.7

CVSS v2

Risk Factor: High

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:P/A:P

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 8.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CVSS Score Source: Tenable

CVSS v4

Risk Factor: High

Base Score: 7.2

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 917

OWASP: 2010-A1, 2013-A1, 2017-A1, 2021-A3

WASC: Improper Input Handling

CAPEC: 10, 101, 108, 120, 13, 135, 14, 24, 250, 267, 273, 28, 3, 34, 42, 43, 45, 46, 47, 51, 52, 53, 6, 64, 67, 7, 71, 72, 76, 78, 79, 8, 80, 83, 84, 9

DISA STIG: APSC-DV-002560

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-SI-10

OWASP API: 2019-API8

OWASP ASVS: 4.0.2-5.2.5

PCI-DSS: 3.2-6.5.1