Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I came across an article Open source library with vulnerabilities.
This article states that
“Spring Expression Language (SpEL) could be exploited through HTTP parameter submissions that would allow attackers to get sensitive system data, application and user cookies.”
Can someone shed more light on this, please ?
Checkout this Aspect Security/Minded Security evaluation of SpEL (google docs link) which the article you link to is probably referring (for the specific case of SpEL).
They describe how certain spring JSP tags double evaluate EL expressions. In these cases it may be possible for the user to submit data to the server in the form of SpEL e.g. as a request parameter with value
${bean.val}(URL encoded)Inside JSP pages, the expression
${param.exp}will be resolved to the text${bean.val}which by itself is safe. If however, that expression resides within an attribute of a spring JSTL tag, that resolved value may be evaluated again e.g. in thespring:messagetag:will result in the value
${bean.val}being passed through to thespring:messagetag which will evaluate thebean.getVal()method. Hence we now have code submitted by the client and being run on the server.