Monday, September 12, 2011

Expression Language Injection

Think about implementing a web application that relies several secrets like anti CRSRF tokens, random seeds used for password generation and so on...

If the implementation is based on Spring MVC framework and security is important for you, then you should consider reading the paper Expression Language Injection which is the result of a joint research conducted by Stefano Di Paola of Minded Security and Arshan Dabirsiaghi of Aspect Security.

We tried to identify the security impact of a bug in Spring MVC which could lead to double evaluation of Expression Language if an untrusted input is used as the argument of particular attributes.

The research shows that it could result in the exposition of application information which should be kept bounded to the application.

The only information which seems to be still protected is tied to static values and static methods.

If you're interested, enjoy the reading and let us know your impressions.


  1. The technique presented in this paper is very actual also in Internet Banking Security scenarios, where it may break a number of authorisation schemas.

    Imagine a "SMS OTP" value that is temporary kept in the session scope before being challenged against the one sent to the user Mobile Phone.

    An attacker may authorise a new Money Transfer by reading the current session data, which keeps the OTP authorisation information for that user.

    In this case, this information leakage is a ground breaking issue.

  2. @Giorgio
    very interesting scenery, thanks!

  3. can you give a more concrete example please?
    I've read the paper, but i'm not an expert in jsp and spring.

  4. ps: it's not clear in my head how/where that double evaluation occurs.

  5. Sir.. can u give more info of expression language injection??
    how it works?? n more..

  6. hey, this URL no more works. Could you please fix this?