HawkScan Test Info for Expression Language Injection

Expression Language Injection


Plugin Id: 90025 | CWE: 917


To remediate the vulnerability of Expression Language Injection, the following measures can be taken:

  1. Input validation: Validate and sanitize all user-supplied input before using it to construct EL statements. This can be done by implementing strict input validation routines that only allow expected characters and patterns.

  2. Output encoding: Encode all user-supplied input that is used in EL statements to prevent any special characters or elements from being interpreted as part of the EL syntax. This can be achieved by using appropriate encoding functions or libraries provided by the framework or programming language being used.

  3. Contextual output encoding: Ensure that the encoding is applied in the correct context. Different contexts may require different encoding techniques. For example, if the user-supplied input is used as a parameter in a URL, URL encoding should be applied. If it is used in an HTML attribute, HTML encoding should be used.

  4. Use safe alternatives: Whenever possible, avoid using user-supplied input directly in EL statements. Instead, consider using safer alternatives such as predefined variables or constants.

  5. Keep software up to date: Regularly update the software and frameworks being used to the latest versions. This helps to ensure that any known vulnerabilities or weaknesses are patched.


Expression Language Injection is a vulnerability that occurs when a software application constructs an expression language (EL) statement using user-supplied input without properly neutralizing special elements that could modify the intended EL statement. This vulnerability can be exploited by an attacker to inject malicious code or execute unintended commands within the application.

In certain versions of Spring 3.0.5 and earlier, there was a specific vulnerability (CVE-2011-2730) where Expression Language tags would be evaluated twice, effectively exposing any application to EL injection. However, even in later versions, this weakness is still possible depending on the configuration.


The risks associated with Expression Language Injection include:

  1. Code execution: An attacker can inject malicious EL statements that can execute arbitrary code within the application’s context. This can lead to unauthorized access, data theft, or even complete compromise of the application and underlying system.

  2. Data manipulation: By injecting EL statements, an attacker can modify or manipulate data within the application. This can lead to data corruption, unauthorized data access, or data leakage.

  3. Privilege escalation: If the application uses EL statements to perform privileged operations, such as accessing sensitive data or executing administrative tasks, an attacker can exploit the vulnerability to escalate their privileges and gain unauthorized access to sensitive resources.

  4. Denial of Service (DoS): An attacker can craft malicious EL statements that consume excessive resources or cause the application to enter into an infinite loop. This can result in a DoS condition, rendering the application unavailable to legitimate users.

It is crucial to address Expression Language Injection vulnerabilities to prevent these risks and ensure the security and integrity of the application and its data.