Privacy Radar

Expression Language Injection

Expression language injection is a peculiar kind of cyberattack where the attacker injects harmful code into the application’s programming (expression) language.  Previously unknown security vulnerabilities help along the injection. 

Because of said vulnerabilities, the app can read the malicious code as legitimate and run it — giving the attacker access to vital app and user data. Ultimately, this attack is only possible if the application does not properly authenticate and sanitize user input.

Expression language injection cases

  • OGNL injection: Here, the hacker injects harmful OGNL expressions intent on editing existing code or running unauthorized code in Java-based applications.
  • EL injection: A hacker executes arbitrary code or gains access to critical data by exploiting the Expression Language (EL) utilized on JavaServer Faces (JSF) or JavaServer Pages (JSP).
  • MVEL injection: A hacker injects harmful MVEL (MVFLEX Expression Language) expressions to exploit security loopholes in applications utilizing MVEL for dynamic evaluations.
  • SpEL injection: A hacker uses the Spring Expression Language (SpEL) in Spring Framework to launch malicious prompts or gain access to restricted resources.

How does expression language injection happen?

  • The application receives user input or outside data like those from query parameters or form fields without proper validation.
  • A hacker notes these input gaps to exploits and feeds them with malicious codes.
  • The application will then process the inputted data without adequate sanitization, essentially regarding it as trustworthy code.
  • The application will then run the malicious expressions, letting the attacker send their prompts or access critical information.
  • This can lead to altered database queries, access to restricted data, or the launch of other malicious attacks on the server, network or application.

Preventing expression language injection

  • Assess all users’ input to identify harmful code.
  • Utilise specialized methods and settings to ensure user input is distinct from the database so it can’t execute any harmful code.
  • Sanitise and assess user content before displaying it on the app.
  • Update everything.