Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Incomplete Base
Structure: Simple
Description
The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
Frameworks such as Java Server Page (JSP) allow a developer to insert executable expressions within otherwise-static content. When the developer is not aware of the executable nature of these expressions and/or does not disable them, then if an attacker can inject expressions, this could lead to code execution or other unexpected behaviors.
Common Consequences 2
Scope: Confidentiality
Impact: Read Application Data
Scope: Integrity
Impact: Execute Unauthorized Code or Commands
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Potential Mitigations 3
Phase: Architecture and Design
Avoid adding user-controlled data into an expression interpreter when possible.
Phase: Implementation
If user-controlled data must be added to an expression interpreter, one or more of the following should be performed:
- Validate that the user input will not evaluate as an expression
- Encode the user input in a way that ensures it is not evaluated as an expression
Phase: System ConfigurationOperation
The framework or tooling might allow the developer to disable or deactivate the processing of EL expressions, such as setting the isELIgnored attribute for a JSP page to "true".
Observed Examples 1
CVE-2021-44228Product does not neutralize ${xyz} style expressions, allowing remote code execution. (log4shell vulnerability in log4j)
References 4
Expression Language Injection
Stefano Di Paola and Arshan Dabirsiaghi
12-09-2011
ID: REF-911
Remote Code with Expression Language Injection
Dan Amodio
14-12-2012
http://danamodio.com/appsec/research/spring-remote-code-with-expression-language-injection/(2023-04-07)
ID: REF-912
Neutralizing Your Inputs: A Log4Shell Weakness Story
CWE/CAPEC
ID: REF-1279
Expression Language Injection
OWASP
ID: REF-1280
Applicable Platforms
Languages:
Java : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Alternate Terms
EL Injection
Related Weaknesses
Notes
MaintenanceThe interrelationships and differences between Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') and Improper Neutralization of Special Elements Used in a Template Engine need to be further clarified.
RelationshipIn certain versions of Spring 3.0.5 and earlier, there was a vulnerability (CVE-2011-2730) in which Expression Language tags would be evaluated twice, which effectively exposed any application to EL injection. However, even for later versions, this weakness is still possible depending on configuration.