Expression Language Injection

Expression Language (EL) Injection is a sophisticated attack vector within the Payload Execution phase that targets application frameworks which implement expression languages, such as Java Server Pages (JSP), Spring, and other MVC frameworks. Attackers exploit vulnerabilities in the interpretation of user-supplied input that gets processed through expression language parsers, allowing them to inject malicious expressions that can lead to code execution, data exposure, or authentication bypass. Unlike standard code injection techniques, EL injection specifically leverages the templating and data-binding features of modern web frameworks, where expressions like ${object.property} or #{bean.value} are evaluated at runtime. The attack typically occurs when user input is insufficiently sanitized before being incorporated into expression evaluations, enabling attackers to manipulate the context in which the expression is processed and access sensitive objects or methods within the application environment. Successful exploitation can result in complete compromise of the application, as the executed code inherits the privileges of the application server, potentially allowing attackers to pivot to other systems or exfiltrate sensitive data.