← Back to All Scanners
Injection AttacksCritical Severity

SpEL Injection Scanner

Identifies Spring Expression Language injection vulnerabilities.

Try This Scanner

What is SpEL Injection?

Spring Expression Language (SpEL) Injection occurs when untrusted user input is evaluated as SpEL expressions in Spring Framework applications. SpEL is powerful, allowing method invocation, object instantiation, and access to Spring beans. Exploitation typically leads to remote code execution.

Why is This Important?

Spring Framework is the most popular Java web framework, powering millions of applications. SpEL Injection can compromise any Spring application, access all beans in the application context, and execute arbitrary code. The Spring4Shell vulnerability (CVE-2022-22965) highlighted how widespread Spring vulnerabilities can be.

How It Works

1. Input Discovery

Maps all user input points including forms, headers, cookies, and API parameters for injection testing.

2. Injection Testing

Executes sophisticated injection payloads designed to bypass filters and WAFs while detecting vulnerabilities.

3. Exploitation Validation

Confirms vulnerabilities through safe exploitation, providing proof-of-concept and impact assessment.

Key Capabilities

Advanced injection detection engine combining signature-based and AI-powered analysis for comprehensive coverage.

  • Multi-vector injection testing across all input types
  • WAF and filter bypass techniques built-in
  • Database-specific payload optimization
  • Out-of-band detection for blind vulnerabilities
  • Automated proof-of-concept generation

Frequently Asked Questions

Where does SpEL Injection commonly occur?

Common locations include: @Value annotations with user input, Spring Security expressions, Spring Data queries, message expressions, and any custom code that evaluates SpEL. The SpelExpressionParser with user input is a red flag.

How does SpEL achieve code execution?

SpEL can call Runtime.getRuntime().exec(), instantiate ProcessBuilder, access the application context to call any bean method, and use reflection to bypass restrictions. Payloads like T(java.lang.Runtime).getRuntime().exec('cmd') are common.

Does Spring have SpEL security features?

Spring offers SimpleEvaluationContext as a restricted alternative to StandardEvaluationContext. However, developers must explicitly use it. Many vulnerabilities occur because StandardEvaluationContext (full access) is used with user input.

How do I prevent SpEL Injection?

Never evaluate user input as SpEL, use SimpleEvaluationContext when SpEL evaluation is necessary, audit @Value annotations and security expressions, validate inputs before any expression evaluation, keep Spring Framework updated, and review custom SpEL usage.

Related Scanners

NoSQL Injection - MongoDBCritical
Learn more →
NoSQL Injection - RedisCritical
Learn more →
NoSQL Injection - CouchDBCritical
Learn more →
NoSQL Injection - CassandraCritical
Learn more →

Ready to secure your application?

Start testing for spel injection vulnerabilities today.

Get Started Free