Closed ImanSharaf closed 1 month ago
elarlang
commented
1 year ago The question is, is it widespread enough to have special spotlight as separate requirement or it can be covered in some more abstract requirement.
https://github.com/OWASP/ASVS/issues/1589 - after spliting up current 5.3.1, we will have quite many requirement for injection, sanitization, encoding and execution. If we add separate requirement for each technology or framework, maybe it's too much.
tghosth
commented
1 year ago I am going to drop this into V5 rework bucket because I think we need to consider all these issues together
tghosth
commented
2 months ago I propose adding this to 5.2.8:
| # | Description | L1 | L2 | L3 | CWE |
|---|---|---|---|---|---|
| 5.2.8 | [MODIFIED] Verify that the application sanitizes, disables, or sandboxes user-supplied scriptable or expression template language content, such as Markdown, CSS or XSL stylesheets, BBCode, Spring Expression Lanugage (SpEL), or similar. | ✓ | ✓ | ✓ | 94 |
Any objections @ImanSharaf ?
ImanSharaf
commented
2 months ago If we want to do this, then we should merge other items such as SSTI with this one too?
randomstuff
commented
2 months ago sanitizing SpEL looks like a very bad idea doomed to failure :smile:
I am not sure SpeL injection should be mentioned here but more alongside shell command injection, JavaScript/PHP/Python eval(), SQL, JPQL/HPQL and so on.
tghosth
commented
2 months ago @randomstuff do you have a suggested requirement to include it in? What is your suggested mitigation?
tghosth
commented
1 month ago Having read here I agree it sounds more like eval/dynamic code execution: https://0xn3va.gitbook.io/cheat-sheets/framework/spring/spel-injection
tghosth
commented
1 month ago Opened #2091
I'd like to propose the addition of Expression Language (EL) Injection to the ASVS standards, given its relevance and increasing occurrences in modern applications.
Expression Language (EL) Injection is a type of injection attack where an attacker can inject arbitrary code into an application's EL engine, potentially leading to remote code execution, information disclosure, or other malicious activities. Several frameworks use expression languages to bind data between views and back-end services. When not properly validated or sanitized, these bindings can become attack vectors.
Spring Expression Language (SpEL) Injection Spring Framework, popular in the Java ecosystem, uses its Expression Language called Spring Expression Language (SpEL). An application using SpEL is vulnerable if it directly evaluates expressions from untrusted sources.
Considering the potential risks and the popularity of frameworks using expression languages, I believe it would be valuable to incorporate this vulnerability into the ASVS standards. This would provide guidance for organizations to ensure their applications are safeguarded against such attacks.