EL Injection Cheat Sheet - masa141421356’s blog

What is EL Injection

Vulnerability of Spring Framework : CVE-2011-2730.
Caused by double evaluation of Expression Language .

It was by Stefano Di Paola, MindedSecurity (@WisecWisec) And Arshan Dabrirsiaghi, Aspect Security
Detail is here: http://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf

How to get array size with blind injection

Check size of list is larger than 3 or not.

${list[3]=list[3] ? 'OK' : 'OK'}

When size of list is smaller or equals to 3, this causes HTTP 500 by Index Out Of Range.

Getting BASIC Authentication ID and Password using Blind Injection

${header} can be used to get texts in HTTP Header sent from Web browser.
It can be used to get BASIC Authentication ID and Password (like XST).

Getting text length

Test with changing _index_.

     ${header['Authorization'].bytes[_index_] le 255 ? 'ok':'ok'}

Getting Header text

Test with changing _index_ and _value_.

   ${header['Authorization'].bytes[_index_]=_value_ ? 'd':1>true}

Decoding

Basic Authentication ID and Password is encoded by Base64. After decoding it , we can get ID and Password.

Getting member method names for variable with reflection

Some Servlet Container allows to use .class as getClass() method. Its result discloses names of getter method of Web Application internal variables.

Tomcat 6	Tomcat 7
enabled by Default	start with setting org.apache.el.parser.SKIP_IDENTIFIER_CHECK=true

   ${variable.class.methods[0].name}

Hitting parseFloat bug CVE-2010-4476

Works on only Unpatched Java Rumtime + Tomcat 7.0.7/6.0.31/5.5.32 or older.

Following HTTP Header is needed.

Accept-Language: en;q=2.2250738585072012e-308

Attack vector.

${pageScope['javax.servlet.jsp.jspRequest'].locales}

Database connection flood DoS via DataSource instance (2012/06/06 added)

When instance of javax.sql.DataSource exists on application scope (or other scope) as "datasource", it can be used to create DB connection memory leak.
At standard Spring style application, it is impossible to use this attack vector. I strongly recommend to use Spring standard DB API instead of direct use of JDBC.

   ${datasource.connection}

Execute ANY remote code(2013/01/23 added)

Attack vector to execute ANY remote code using URLClassLoader to load remote class file or jar file and invoke it. Detail is written in https://www.aspectsecurity.com/uploads/downloads/2012/12/Remote-Code-with-Expression-Language-Injection.pdf