Potential SpEL Injection In Spring Framework
Detects potential SpEL Injection exploitation, which may lead to RCE.
Sigma rule (View on GitHub)
1title: Potential SpEL Injection In Spring Framework
2id: e9edd087-89d8-48c9-b0b4-5b9bb10896b8
3status: test
4description: Detects potential SpEL Injection exploitation, which may lead to RCE.
5references:
6 - https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection
7 - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
8author: Moti Harmats
9date: 2023/02/11
10tags:
11 - attack.initial_access
12 - attack.t1190
13logsource:
14 category: application
15 product: spring
16 definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
17detection:
18 keywords:
19 - 'org.springframework.expression.ExpressionException'
20 condition: keywords
21falsepositives:
22 - Application bugs
23level: high
References
-
Expression Language Injection on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
Read More -
IntroductionWhen doing application security at scale, you have to make peace with the fact that some issues may as well find their way into production. While we work hard to make sure this almost never happens, we understand that it’s just a fact of life that sometimes some things can slip into production without proper security controls.Photo by Mahdi Bafande on UnsplashThat’s why in addition to constantly “shifting left” our efforts and trying to secure all frameworks “by design”, one of the c
Read More
Related rules
- Potential CVE-2022-21587 Exploitation Attempt
- Potential CVE-2023-23752 Exploitation Attempt
- Potential JNDI Injection Exploitation In JVM Based Application
- Potential Local File Read Vulnerability In JVM Based Application
- Potential OGNL Injection Exploitation In JVM Based Application