expression-language-injection

SKILL.md

SKILL: Expression Language Injection — Expert Attack Playbook

AI LOAD INSTRUCTION: Expert EL injection techniques covering SpEL (Spring), OGNL (Struts2), and Java EL (JSP/JSF). Distinct from SSTI — EL injection targets expression evaluators in Java frameworks, not template engines. Covers sandbox bypass, _memberAccess manipulation, actuator abuse, and real-world CVE chains.

0. RELATED ROUTING

ssti-server-side-template-injection for template engines (Jinja2, FreeMarker, Twig) — different attack surface

jndi-injection when EL evaluation leads to JNDI lookup

Key distinction: SSTI targets template rendering engines; EL injection targets expression evaluators embedded in Java frameworks. They share detection probes (${7*7}) but diverge in exploitation.

1. DETECTION — POLYGLOT PROBES