Dan Amodio

Home » Application Security » Archive by category "Research"

Remote Code with Expression Language Injection

Discovering and Exploiting a Spring Framework Vulnerability

Previously, Expression Language Injection has only meant information disclosure. I’ll illustrate how it can actually be used for remote code execution on Glassfish and potentially other EL 2.2 containers.

Continue reading