Java Ognl Expression Injection

Description

Detects potential OGNL injection vulnerabilities in Java applications where unvalidated or unsanitized input is incorporated into OGNL expressions or queries. This vulnerability could allow attackers to manipulate logical evaluations or execution flows by injecting crafted OGNL payloads, potentially leading to unauthorized access, data manipulation, or unexpected application behavior.

Weakness:

458 - Expression Language Injection (EL)

Category: Unexpected Injection

Detection Strategy

• Check if the ognl package is imported or referenced in the Java source code

• Identify calls to OGNL evaluation methods such as Ognl.getValue() and Ognl.setValue()

• Inspect whether OGNL expressions passed to these methods are dynamically constructed

• Determine if OGNL expressions are derived from untrusted external input such as HTTP request parameters

• Report a vulnerability when user-controlled or dynamic OGNL expressions are evaluated without proper validation or sanitization

Vulnerable code example

OgnlContext context = new OgnlContext();
// Vulnerable: user-controlled input evaluated as OGNL expression
Object value = Ognl.getValue(expression, context);

✅ Secure code example

OgnlContext context = new OgnlContext();
// Safe: OGNL expression is static and not influenced by user input
String safeExpression = "user.name";
Object value = Ognl.getValue(safeExpression, context);

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.