Skip to content

An intentionally-vulnerable application for demonstrating the hazards of SpEL expression composition

License

Notifications You must be signed in to change notification settings

jzheaux/spel-injection

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SpEL Injection Demonstration

The following project is an intentionally-vulnerable application designed to demonstrate the hazards of composing SpEL expressions from untrusted data, specifically user input.

There are four endpoints that can be hit:

/widget/search - This endpoint does not exercise SpEL and is thus impermeable

/widget/unsafe-search - This endpoint uses StandardEvaluationContext, which grants access to Runtime. The endpoint doesn't verify user input, taking that user input and composing it into a SpEL expression.

/widget/safer-search - This endpoint uses SimpleEvaluationContext, which guards access to Runtime by default. The endpoint still doesn't verify user input, though, meaning that several attacks are still possible.

/widget/safest-search - This endpoint uses SimpleEvaluationContext as well as introduces a whitelist guard against malicious user input.

/widget/impermeable-search - This endpoint uses 'SimpleEvaluationContext', does not allow any string concatenation of the query and coerces parameters to strong data types.

Testing

There are unit tests that demonstrate exploits against these endpoints.

Also, the application can be hit directly:

curl http://localhost:8080/widget/unsafe-search?term=Widget\&filter=price%20lt%2020`

About

An intentionally-vulnerable application for demonstrating the hazards of SpEL expression composition

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages