How secure coding guidelines evolve
Last week I was researching vulnerabilities in Java Spring to bring our secure coding guidelines up to date. I was going through the existing challenges on our platform and noticed a few on XSS through displaying url parameters in JSP pages. The incorrect code example would look something similar to the following:
<input type="text" name="username" value="${param.username}">
The correct solution was removing the URL parameter altogether and the description mentions that escaping the URL parameter the correct way is also safe.
Now, my job is to formulate the secure coding guideline in a way that is clear to developers and restricts them as little as possible while still writing secure code. In this case, I would prefer to let developers keep their intended functionality and recommend them to do it securely by escaping the URL parameter. This way, the code no longer contains a XSS vulnerability. The above example can be secured like this:
<input type="text" name="username" value="${fn:escapeXml(param.username)}">
And this was our secure coding guideline for a few days, until I stumbled on an OWASP page on expression language injection. This page describes how the Spring Expression Language (SpEL) can be abused for injection with some serious impact, including remote code execution. It was up to me to figure out if there could be cases where code adhering to our secure coding guideline can still be affected by this vulnerability. So I wrote a quick test application to evaluate SpEL expressions, and tested input with and without Xml escaping to see if I could find some scenarios that would not be caught. And I did, there are malicious expressions that do not contain any characters caught by XmlEscape. I published the working demo on our github, which you can find here.
And of course I updated our secure coding guideline which now reads: "Do not display or evaluate URL parameters using the Spring Expression Language (SpEL)."
The overall impact of this issue is High, for the following reasons: - An attacker could modify and invoke functionality on the application server. - Unauthorized access to data and functionality, as well as account hijacking and remote code execution. - Confidentiality, and Integrity concerns from a successful attack.
https://www.owasp.org/index.php/Expression_Language_Injection
Last week I was researching vulnerabilities in Java Spring to bring our secure coding guidelines up to date.
Application Security Researcher - R&D Engineer - PhD Candidate
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demo
Application Security Researcher - R&D Engineer - PhD Candidate
Last week I was researching vulnerabilities in Java Spring to bring our secure coding guidelines up to date. I was going through the existing challenges on our platform and noticed a few on XSS through displaying url parameters in JSP pages. The incorrect code example would look something similar to the following:
<input type="text" name="username" value="${param.username}">
The correct solution was removing the URL parameter altogether and the description mentions that escaping the URL parameter the correct way is also safe.
Now, my job is to formulate the secure coding guideline in a way that is clear to developers and restricts them as little as possible while still writing secure code. In this case, I would prefer to let developers keep their intended functionality and recommend them to do it securely by escaping the URL parameter. This way, the code no longer contains a XSS vulnerability. The above example can be secured like this:
<input type="text" name="username" value="${fn:escapeXml(param.username)}">
And this was our secure coding guideline for a few days, until I stumbled on an OWASP page on expression language injection. This page describes how the Spring Expression Language (SpEL) can be abused for injection with some serious impact, including remote code execution. It was up to me to figure out if there could be cases where code adhering to our secure coding guideline can still be affected by this vulnerability. So I wrote a quick test application to evaluate SpEL expressions, and tested input with and without Xml escaping to see if I could find some scenarios that would not be caught. And I did, there are malicious expressions that do not contain any characters caught by XmlEscape. I published the working demo on our github, which you can find here.
And of course I updated our secure coding guideline which now reads: "Do not display or evaluate URL parameters using the Spring Expression Language (SpEL)."
The overall impact of this issue is High, for the following reasons: - An attacker could modify and invoke functionality on the application server. - Unauthorized access to data and functionality, as well as account hijacking and remote code execution. - Confidentiality, and Integrity concerns from a successful attack.
https://www.owasp.org/index.php/Expression_Language_Injection
Last week I was researching vulnerabilities in Java Spring to bring our secure coding guidelines up to date. I was going through the existing challenges on our platform and noticed a few on XSS through displaying url parameters in JSP pages. The incorrect code example would look something similar to the following:
<input type="text" name="username" value="${param.username}">
The correct solution was removing the URL parameter altogether and the description mentions that escaping the URL parameter the correct way is also safe.
Now, my job is to formulate the secure coding guideline in a way that is clear to developers and restricts them as little as possible while still writing secure code. In this case, I would prefer to let developers keep their intended functionality and recommend them to do it securely by escaping the URL parameter. This way, the code no longer contains a XSS vulnerability. The above example can be secured like this:
<input type="text" name="username" value="${fn:escapeXml(param.username)}">
And this was our secure coding guideline for a few days, until I stumbled on an OWASP page on expression language injection. This page describes how the Spring Expression Language (SpEL) can be abused for injection with some serious impact, including remote code execution. It was up to me to figure out if there could be cases where code adhering to our secure coding guideline can still be affected by this vulnerability. So I wrote a quick test application to evaluate SpEL expressions, and tested input with and without Xml escaping to see if I could find some scenarios that would not be caught. And I did, there are malicious expressions that do not contain any characters caught by XmlEscape. I published the working demo on our github, which you can find here.
And of course I updated our secure coding guideline which now reads: "Do not display or evaluate URL parameters using the Spring Expression Language (SpEL)."
The overall impact of this issue is High, for the following reasons: - An attacker could modify and invoke functionality on the application server. - Unauthorized access to data and functionality, as well as account hijacking and remote code execution. - Confidentiality, and Integrity concerns from a successful attack.
https://www.owasp.org/index.php/Expression_Language_Injection
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demo
Application Security Researcher - R&D Engineer - PhD Candidate
Last week I was researching vulnerabilities in Java Spring to bring our secure coding guidelines up to date. I was going through the existing challenges on our platform and noticed a few on XSS through displaying url parameters in JSP pages. The incorrect code example would look something similar to the following:
<input type="text" name="username" value="${param.username}">
The correct solution was removing the URL parameter altogether and the description mentions that escaping the URL parameter the correct way is also safe.
Now, my job is to formulate the secure coding guideline in a way that is clear to developers and restricts them as little as possible while still writing secure code. In this case, I would prefer to let developers keep their intended functionality and recommend them to do it securely by escaping the URL parameter. This way, the code no longer contains a XSS vulnerability. The above example can be secured like this:
<input type="text" name="username" value="${fn:escapeXml(param.username)}">
And this was our secure coding guideline for a few days, until I stumbled on an OWASP page on expression language injection. This page describes how the Spring Expression Language (SpEL) can be abused for injection with some serious impact, including remote code execution. It was up to me to figure out if there could be cases where code adhering to our secure coding guideline can still be affected by this vulnerability. So I wrote a quick test application to evaluate SpEL expressions, and tested input with and without Xml escaping to see if I could find some scenarios that would not be caught. And I did, there are malicious expressions that do not contain any characters caught by XmlEscape. I published the working demo on our github, which you can find here.
And of course I updated our secure coding guideline which now reads: "Do not display or evaluate URL parameters using the Spring Expression Language (SpEL)."
The overall impact of this issue is High, for the following reasons: - An attacker could modify and invoke functionality on the application server. - Unauthorized access to data and functionality, as well as account hijacking and remote code execution. - Confidentiality, and Integrity concerns from a successful attack.
https://www.owasp.org/index.php/Expression_Language_Injection
Table of contents
Application Security Researcher - R&D Engineer - PhD Candidate
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Turn Awareness Into Action This Cyber Awareness Month
This October, turn awareness into action. Make Cyber Awareness Month memorable for your developers with a high-impact, high-participation experience—led by Secure Code Warrior's Professional Services team.
Secure code training topics & content
Our industry-leading content is always evolving to fit the ever changing software development landscape with your role in mind. Topics covering everything from AI to XQuery Injection, offered for a variety of roles from Architects and Engineers to Product Managers and QA. Get a sneak peak of what our content catalog has to offer by topic and role.
Quests: Industry leading learning to keep developers ahead of the game mitigating risk.
Quests is a learning platform that helps developers mitigate software security risks by enhancing their secure coding skills. With curated learning paths, hands-on challenges, and interactive activities, it empowers developers to identify and prevent vulnerabilities.
Resources to get you started
Is Vibe Coding Going to Turn Your Codebase Into a Frat Party?
Vibe coding is like a college frat party, and AI is the centerpiece of all the festivities, the keg. It’s a lot of fun to let loose, get creative, and see where your imagination can take you, but after a few keg stands, drinking (or, using AI) in moderation is undoubtedly the safer long-term solution.
The Decade of the Defenders: Secure Code Warrior Turns Ten
Secure Code Warrior's founding team has stayed together, steering the ship through every lesson, triumph, and setback for an entire decade. We’re scaling up and ready to face our next chapter, SCW 2.0, as the leaders in developer risk management.
Developer-driven coding.
Securely.
Contact us today and make software security an intrinsic part of your development process.
