Details
Alert ID 90025
Alert Type Active
Status beta
Risk High
CWE 917
WASC 20
Technologies Targeted All
Tags CWE-917
OWASP_2017_A01
OWASP_2021_A03
POLICY_API
POLICY_QA_FULL
POLICY_QA_STD
WSTG-V42-INPV-11
More Info Scan Rule Help

Summary

The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. In certain versions of Spring 3.0.5 and earlier, there was a vulnerability (CVE-2011-2730) in which Expression Language tags would be evaluated twice, which effectively exposed any application to EL injection. However, even for later versions, this weakness is still possible depending on configuration.

Solution

Perform data validation best practice against untrusted input and to ensure that output encoding is applied when data arrives on the EL layer, so that no metacharacter is found by the interpreter within the user content before evaluation. The most obvious patterns to detect include ${ and #{, but it may be possible to encode or fragment this data.

Other Info

References

Code

org/zaproxy/zap/extension/ascanrulesBeta/ExpressionLanguageInjectionScanRule.java