Skip to content

OGNL Injection (OGNL)

Mitigation Strategies for OGNL Injection Vulnerabilities

Prevent OGNL Injection Effectively
Table of Contents

What is OGNL injection (OGNL)?

Object-Graph Navigation Language is an open-source Expression Language (EL) for Java objects. Specifically, OGNL enables the evaluation of EL expressions in Apache Struts, which is the commonly used development framework for Java-based web applications in enterprise environments. The most critical vulnerabilities on the list of Apache Struts CVEs relate to OGNL expression injection attacks, which enable evaluation of invalidated expressions against the value stack, allowing an attacker to modify system variables or execute arbitrary code.

OGNL is infamous for related vulnerabilities found in the Struts 2 framework that relies on it. Because OGNL has the ability to create or change executable code, it is also capable of introducing critical security flaws to any framework that uses it. For example, it is possible for the attacker to inject OGNL expressions (which can execute arbitrary malicious Java code), when an OGNL expression injection vulnerability is present.

Protections against this CVE include security solutions that can detect the presence of vulnerable Struts2 components in software so that attacks can be prevented.

 

Learn More About Contrast Security

Contrast is the clear customers’ choice

Contrast is named a Customers’ Choice in the 2021 Gartner Peer Insights “Voice of the Customer”: Application Security Testing report. With the highest percentage of 5-star ratings, this is the third consecutive year Contrast has received this powerful endorsement from customers.

gartner-peer-insight-2021

Built for Developers. Trusted by Security.

Infosys
ring-central-logo-1
bmw-logo-rgb
backbase-logo-2
intuit-logo
credit-suisse

Learn Secure Code

Cross Site Scripting (XSS)

CROSS SITE SCRIPTING (XSS)

Learn about Cross site scripting (XSS) and how it affects your Java source code

SQL Injection - Java-1

SQL INJECTION

Learn about SWL injection and how it affects your Java source code

Client Side Injection

CLIENT SIDE INJECTION

Learn about client-side injection and how it can affect your source code