Thursday, May 8, 2014

expression language injection attacks with the help of springJspExpressionSupport

Recently, I discovered a nasty place for expression language injection attack in one of my applications. This was directly related to the expression evaluation feature of spring components on jsp.
I was adding a request parameter to a spring form's action and as spring's form component directly evaluates it, you were able to put a ${applicationScope} (or anything on the page) on the request parameter and see the evaluation result on the source code.

First thing to do was setting springJspExpressionSupport to false by editing my web.xml and setting the flag to false.

 
        Enable Spring JSP Expressions
        springJspExpressionSupport
        false
    

The problem with this is the fact that it totally disables Spring's evaluation mechanism which means  ExpressionEvaluationUtils.evaluate() calls won't work anymore. So I had to use an alternative way such as the following code:

ELContext elContext = pageContext.getELContext();
JspApplicationContext jac = JspFactory.getDefaultFactory().getJspApplicationContext(pageContext.getServletContext());
 ValueExpression val = jac.getExpressionFactory().createValueExpression(elContext, exp, resultClass);
return val.getValue(elContext);