Expression Language (EL) Injection (CWE-917)
Another interpreter suitable to be attacked by injection is Expression Language (EL) in JSPs. Expression Language (EL) Injection happens when attacker controlled data enters an EL interpreter.
In frameworks like Spring MVC, EL tags are evaluated twice (one by the application server and the result is evaluated as EL expression again by the Spring tag implementation), which allows an attacker to pass in the HTTP request message a value (header, cookie, message parameter) containing EL expression that could be executed.
Depending on the context, this may allow execution of arbitrary code, modification of unintended session or application attributes, or even downloading remote malicious Java classes with custom classloaders.
Other frameworks, like Struts, use a similar expression language (OGNL) that in certain cases allow double execution of OGNL.
EL Injection (CWE-917) coverage by Kiuwan
Kiuwan incorporates next rules for EL Injection (CWE-917) for the following languages.
To obtain detailed information on functionality, coverage, parameterization, remediation, example codes, etc., follow the same steps as described in SQL Injection.