Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Expression Language Injection Syntax

Andy | Last updated: Dec 18, 2017 06:37PM UTC

I'm trying to improve my understanding of expression language (EL) injections. The following injections were created by Burp Scanner: ${@java.lang.Thread@sleep(500)} ${"aaaaaaaaaaaaaaaa".toString().replace("a","b")} Why are the at signs "@" needed to reference java classes and then their methods? I can't find anything online that references why the at sign there is correct syntax. JSP EL doesn't seem to use it and Spring EL only seems to use it for Bean references (?). An additional example I created is: ${@java.util.UUID@randomUUID()} Second but related question: Why don't either of these commands work? Is this due to permissions placed on certain methods and properties? Nothing is returned at all when these are attempted. ${@java.lang.Thread@toString()} ${@java.lang.Thread@getName()} Thanks! Andy

PortSwigger Agent | Last updated: Dec 21, 2017 03:09PM UTC

Hi Andy, Apologies for the delay in getting back to you. The developer of that particular test is out-of-office; we'll get back to you after the break.

PortSwigger Agent | Last updated: Jan 12, 2018 09:48AM UTC

Hi Andy, Apologies for not getting back to you. We're just wrapping up for the weekend, but I will look at your case next week.

Burp User | Last updated: Jan 19, 2018 04:16PM UTC

Hi again, still hoping to hear back from someone. I'd appreciate it, thanks! Andy

PortSwigger Agent | Last updated: Jan 19, 2018 04:18PM UTC