💻
Secure Code Review Fundamentals
  • Start Here
  • Java
    • Common Sinks
    • Gadget Hunting
    • JRMP
    • Spring [todo]
    • JPA [todo]
    • JDBC [todo]
    • RMI [todo]
    • JNDI [todo]
    • Servlets [todo]
    • Tomcat [todo]
    • JavaServer Faces [todo]
    • JBoss [todo]
    • JavaBean
    • Remote Debugging Tomcat Web Applications
    • Expression Language
      • CVE-2020-9297
      • Exploitation
  • PHP
    • Classic Deserialization (POP) [todo]
    • Common Sinks [todo]
    • PHAR Deserialization [todo]
  • Ruby
    • Common Sinks
    • YAML deserialization [todo]
    • Rails Active Record SQL Injection
  • Python
    • Common Sinks
    • YAML deserialization [todo]
  • Tools
    • CodeQL [todo]
  • Code Review Fundamentals
    • Techniques
  • Untitled
  • CodeQL
    • Common Classes [Java]
    • Useful Classes [Java]
    • Compiling Databases
  • Semgrep
    • About
    • Real World Examples
      • Java == String Equality
Powered by GitBook
On this page

Was this helpful?

  1. Java
  2. Expression Language

Exploitation

Overview

  • If an attacker has the ability to control the Expression Language which is evaluated by the application, this will result in a vulnerability.

Basic Proof of Concept

		ExpressionFactory factory = new ExpressionFactoryImpl();
		SimpleContext context = new SimpleContext();
		String pl = "${7*7}";
		ValueExpression e = factory.createValueExpression(context, pl, Integer.class);
		System.out.println(e.getValue(context));
		
		// OUTPUT
		49

It appears that the sink in this scenario is the createValueExpression() method.

  • How to do it in Spring?

    • Spring uses Thymeleaf for its views

  • Any other frameworks?

PreviousCVE-2020-9297NextClassic Deserialization (POP) [todo]

Last updated 3 years ago

Was this helpful?