This page tries to retrieve victim's JSESSIONID using inference against an application vulnerable to Expression Language injection.

Attack information:
Found:

Loading victim server on an iframe just to be sure we have a session.

This page is used for pure demonstration. Use at your own risk!

Authors: Stefano Di Paola and Arshan Dabirsiaghi

Date: September 2011