Expression Language Injection - Revision history

Dan Amodio at 19:32, 15 April 2013

2013-04-15T19:32:53Z

Dan Amodio at 19:21, 15 April 2013

2013-04-15T19:21:35Z

Dan Amodio: Initial add for EL Injection, CWE 917

2013-04-15T19:12:07Z

Initial add for EL Injection, CWE 917

New page

{{Vulnerability}}

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]

==Description==

Expression Language (EL) Injection happens when attacker controlled data enters an EL interpreter.

With EL implementations prior to 2.2, attacker can recover sensitive server side information available through implicit objects. This includes model objects, beans, session scope, application scope, etc. The EL 2.2 spec allows method invocation, which permits an attacker to execute arbitrary code within context of the application. This can manipulate application functionality, expose sensitive data, and branch out into system code access-- posing a risk of server compromise.

A specific pattern exists in certain version of the Spring Framework, where Spring JSP tags will double resolve EL. In versions prior to 3.0.6, it is not possible to disable this functionality, and the pattern must be avoided.

==Risk Factors==

TBD

==Examples==

=== Spring Message Tag ===
The Spring Message tag will double resolve Expression Language.

A common pattern of passing URL parameters to the message tag is:

Controller.java
@RequestMapping(value="/")
String index() {

if ( hasErrors() ) {
return "redirect:/error?msg=error.generic";
} else {
return "index";
}

}

error.jsp
<spring:message code="${param.msg}" />

A URL request to the above code of the form:
?msg=${param.test}&test=INJECTION

Will result in the string literal "INJECTION" being passed to the message tag. The application should respond with an exception like:

No message found under code 'INJECTION' for locale 'en_US'

Accordingly, the attacker could submit methods within the EL like:
?msg=${pageContext.request.getSession().setAttribute("admin",true)}

==Related [[Attacks]]==

* [[Interpreter Injection]]

==Related [[Vulnerabilities]]==

* [[Reflection injection]]
* [[Injection problem]]

==Related [[Controls]]==
Avoid putting user data into an expression interpreter if possible. Otherwise, validate and/or encode the data to ensure it is not evaluated as expression language.
* [[Input_Validation]]

In the case of Spring Framework, disable the double resolution functionality in versions 3.0.6 and above by placing the following configuration in the application web.xml.

<context-param>
<description>Spring Expression Language Support</description>
<param-name>springJspExpressionSupport</param-name>
<param-value>false</param-value>
</context-param>

==Related [[Technical Impacts]]==
* [[Loss of accountability]]
* [[Loss of availability]]
* [[Loss of confidentiality]]
* [[Loss of integrity]]

==References==
* [http://cwe.mitre.org/data/definitions/917.html CWE 917].
* [http://support.springsource.com/security/cve-2011-2730 Spring Framework: CVE-2011-2730]
* [http://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf EL Injection: Information Disclosure]
* [http://danamodio.com/application-security/discoveries/spring-remote-code-with-expression-language-injection/ EL Injection: Remote Code Execution]
* [http://jcp.org/aboutJava/communityprocess/mrel/jsr245/index.html JSR245: EL 2.2 Spec]

{{Stub}}

[[Category:Input Validation Vulnerability]]
[[Category:Vulnerability]]

← Older revision		Revision as of 19:32, 15 April 2013
Line 57:		Line 57:
	Accordingly, the attacker could submit methods within the EL like:		Accordingly, the attacker could submit methods within the EL like:
	?msg=${pageContext.request.getSession().setAttribute("admin",true)}		?msg=${pageContext.request.getSession().setAttribute("admin",true)}
		+
		+	If the container provided EL interpreter does not support static class methods ( java.lang.Runtime.getCurrentRuntime().exec() ), an attacker can use a URLClassLoader to load remote code.
		+
		+
		+	=== Spring Eval Tag ===
		+	Spring Framework provides a JSP tag that interprets Spring Expression Language (SpEL).
		+
		+	The following code would be vulnerable:
		+	<spring:eval expression="${param.vulnerable}" />
		+
		+	A URL of the following form would provide system code access:
		+	?vulnerable=T(java.lang.Runtime).getRuntime().exec(“cmd.exe”)

@@ Line 16: / Line 16: @@
 ==Risk Factors==
-TBD
+The likelihood of this issue is '''Medium''', for the following reasons:
 ==Examples==