Skip to main content

Expression Language Injection / EL Injection

What is Expression Language Injection (EL Injection)#

Expression Language Injection occurs when a remote attacker can get their input into the processing of Expression Language processing to run their own code. This is a type of code injection because it lets attackers run code of their choosing on your server.

When can EL Injection affect my application#

EL Injection affects applications that use the Expression Language. Most often this is in Java EE web applications. Other languages generally do not use Expression Language but would be vulnerable if they run user input as code in any domain-specific language.

How do I know if/where my application has an EL Injection vulnerability#

Contrast Assess monitors execution and can detect EL Injection vulnerabilities.

Contrast Protect can defend EL Injection vulnerabilities.

How do I fix EL Injection#

Developers should avoid running remote input as part of Expression Language statements. Instead, build specific features as a capability that acts on input rather than running code.

How do people attack EL Injection flaws#

Attackers often attempt to provide new Expression Language statements. A common route is to try to execute system commands:

{Runtime.exec("command")}