Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request to Add Expression Language Injection Vulnerability (e.g., SpEL inection) #1729

Closed
ImanSharaf opened this issue Sep 25, 2023 · 8 comments · Fixed by #2091
Closed

Request to Add Expression Language Injection Vulnerability (e.g., SpEL inection) #1729

ImanSharaf opened this issue Sep 25, 2023 · 8 comments · Fixed by #2091
Labels
4b Major-rework These issues need to be part of a full chapter rework V5 Temporary label for grouping input validation, sanitization, encoding, escaping related requirements _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@ImanSharaf
Copy link
Collaborator

I'd like to propose the addition of Expression Language (EL) Injection to the ASVS standards, given its relevance and increasing occurrences in modern applications.

Expression Language (EL) Injection is a type of injection attack where an attacker can inject arbitrary code into an application's EL engine, potentially leading to remote code execution, information disclosure, or other malicious activities. Several frameworks use expression languages to bind data between views and back-end services. When not properly validated or sanitized, these bindings can become attack vectors.

Spring Expression Language (SpEL) Injection
Spring Framework, popular in the Java ecosystem, uses its Expression Language called Spring Expression Language (SpEL). An application using SpEL is vulnerable if it directly evaluates expressions from untrusted sources.

Considering the potential risks and the popularity of frameworks using expression languages, I believe it would be valuable to incorporate this vulnerability into the ASVS standards. This would provide guidance for organizations to ensure their applications are safeguarded against such attacks.
@elarlang
Copy link
Collaborator

The question is, is it widespread enough to have special spotlight as separate requirement or it can be covered in some more abstract requirement.

#1589 - after spliting up current 5.3.1, we will have quite many requirement for injection, sanitization, encoding and execution. If we add separate requirement for each technology or framework, maybe it's too much.

@tghosth
Copy link
Collaborator

tghosth commented Sep 27, 2023

I am going to drop this into V5 rework bucket because I think we need to consider all these issues together

@tghosth tghosth added V5 Temporary label for grouping input validation, sanitization, encoding, escaping related requirements _5.0 - prep This needs to be addressed to prepare 5.0 4b Major-rework These issues need to be part of a full chapter rework labels Sep 27, 2023
@tghosth
Copy link
Collaborator

tghosth commented Aug 12, 2024

I propose adding this to 5.2.8:

# Description L1 L2 L3 CWE
5.2.8 [MODIFIED] Verify that the application sanitizes, disables, or sandboxes user-supplied scriptable or expression template language content, such as Markdown, CSS or XSL stylesheets, BBCode, Spring Expression Lanugage (SpEL), or similar. 94

Any objections @ImanSharaf ?

@ImanSharaf
Copy link
Collaborator Author

If we want to do this, then we should merge other items such as SSTI with this one too?

@randomstuff
Copy link
Contributor

randomstuff commented Aug 30, 2024
edited
Loading

sanitizing SpEL looks like a very bad idea doomed to failure 😄

I am not sure SpeL injection should be mentioned here but more alongside shell command injection, JavaScript/PHP/Python eval(), SQL, JPQL/HPQL and so on.

@tghosth
Copy link
Collaborator

tghosth commented Sep 2, 2024

@randomstuff do you have a suggested requirement to include it in? What is your suggested mitigation?

@tghosth tghosth added the 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet label Sep 2, 2024
@tghosth
Copy link
Collaborator

tghosth commented Sep 18, 2024

Having read here I agree it sounds more like eval/dynamic code execution:
https://0xn3va.gitbook.io/cheat-sheets/framework/spring/spel-injection

tghosth added a commit that referenced this issue Sep 18, 2024
@tghosth
resolve #1729 by referencing SpEL injection
a235f2d
@tghosth tghosth mentioned this issue Sep 18, 2024
Merged
@tghosth tghosth linked a pull request Sep 18, 2024 that will close this issue
resolve #1729 by referencing SpEL injection #2091
Merged
@tghosth
Copy link
Collaborator

tghosth commented Sep 18, 2024

Opened #2091

@tghosth tghosth removed the 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet label Sep 18, 2024
elarlang pushed a commit to elarlang/ASVS that referenced this issue Sep 20, 2024
tag correction for OWASP#1729 / OWASP#2091
88066f7
tghosth pushed a commit that referenced this issue Sep 22, 2024
@tghosth
tag correction for #1729 / #2091
cc18d02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
4b Major-rework These issues need to be part of a full chapter rework V5 Temporary label for grouping input validation, sanitization, encoding, escaping related requirements _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

resolve #1729 by referencing SpEL injection OWASP/ASVS
4 participants
@randomstuff @tghosth @elarlang @ImanSharaf