THP Wisec USH DigitalBullets TheHackersPlace network
The WIse SECurity
Wisec Home SecSearch Projects Papers Security Thoughts
News Search on Wisec

Security Thoughts

[ Back ]

Monday, September 12, 2011, 16:48

Expression Language Injection

Think about implementing a web application that relies several secrets like anti CRSRF tokens, random seeds used for password generation and so on...

If the implementation is based on Spring MVC framework and security is important for you, then you should consider reading the paper Expression Language Injection which is the result of a joint research conducted by Stefano Di Paola of Minded Security and Arshan Dabirsiaghi of Aspect Security.

We tried to identify the security impact of a bug in Spring MVC which could lead to double evaluation of Expression Language if an untrusted input is used as the argument of particular attributes.

Continue readinng on Minded Security blog...


No comments yet.

Comments are disabled

Admin login | This weblog is from

Wisec is brought to you by...

Wisec is written and mantained by Stefano Di Paola.

Wisec uses open standards, including XHTML, CSS2, and XML-RPC.

All Rights Reserved 2004
All hosted messages and metadata are owned by their respective authors.