4. Blind Injection
Any attack described so far, assumes there is an in-band scenario. In other words, it relies
on the fact that the information is displayed back in the server response. This is obviously not
always possible, since the application could redirect to another page in case of application
errors, or simply does not use that value in the HTML. In that case it is still possible to gather
information via EL Injection by taking advantage of inference techniques.
4.1 Inferring Values Via Direct Requests
The only thing an attacker needs is a condition expression which returns a legit value in case
the condition is true and a unexpected value otherwise.
According to Expression Language definition [1] in the Operators section, the ternary conditional
operator is an accepted construct, and therefore it could be used in order to infer values:
...
In addition to the . and [] operators discussed in Variables, the JSP expression language provides the
following operators:
●
Arithmetic: +, - (binary), *, / and div, % and mod, - (unary)
●
Logical: and, &&, or, ||, not, !
●
Relational: ==, eq, !=, ne, <, lt, >, gt, <=, ge, >=, le. Comparisons can be made against other
values, or against boolean, string, integer, or floating point literals.
●
Empty: The empty operator is a prefix operation that can be used to determine whether a value
is null or empty.
●
Conditional: A ? B : C. Evaluate B or C, depending on the result of the evaluation of A.
...
The latest problem to be solved consists in finding two values that will trigger different
responses from the server. In order do this, an attacker can try to abuse conditional and the
comparison operator with the following input:
${variableName.value >= ‘charSequence’ ? V1 : V2}
Where:
● variableName is the name of the server side attribute the attacker is willing to retrieve
the value.
● charSequence is a sequence of characters whose length and content is dynamically
built according to inference.
● V1 is a value that will be valid for the EL parser and for the application.
● V2 is a value that will be valid for the EL parser but will trigger some kind of exception in
the underlying code.
The pseudo code of the linear inference algorithm can be described as follows: