OGNL Injection (OGNL)
Mitigation Strategies for OGNL Injection Vulnerabilities
Prevent OGNL Injection EffectivelyTable of Contents
What is OGNL injection (OGNL)?
Object-Graph Navigation Language is an open-source Expression Language (EL) for Java objects. Specifically, OGNL enables the evaluation of EL expressions in Apache Struts, which is the commonly used development framework for Java-based web applications in enterprise environments. The most critical vulnerabilities on the list of Apache Struts CVEs relate to OGNL expression injection attacks, which enable evaluation of invalidated expressions against the value stack, allowing an attacker to modify system variables or execute arbitrary code.
OGNL is infamous for related vulnerabilities found in the Struts 2 framework that relies on it. Because OGNL has the ability to create or change executable code, it is also capable of introducing critical security flaws to any framework that uses it. For example, it is possible for the attacker to inject OGNL expressions (which can execute arbitrary malicious Java code), when an OGNL expression injection vulnerability is present.
Protections against this CVE include security solutions that can detect the presence of vulnerable Struts2 components in software so that attacks can be prevented.
Contrast is the clear customers’ choice
Contrast is named a Customers’ Choice in the 2021 Gartner Peer Insights “Voice of the Customer”: Application Security Testing report. With the highest percentage of 5-star ratings, this is the third consecutive year Contrast has received this powerful endorsement from customers.
Built for Developers. Trusted by Security.
Learn Secure Code
CROSS SITE SCRIPTING (XSS)
Learn about Cross site scripting (XSS) and how it affects your Java source code
SQL INJECTION
Learn about SWL injection and how it affects your Java source code
CLIENT SIDE INJECTION
Learn about client-side injection and how it can affect your source code