Скачать или смотреть Discover Juicy vulnerabilities using Burp Suite Extensions - J2EE Scan - Part 17 | Cyber Adam

Object-Graph Navigation Language is an open-source Expression Language (EL) for Java objects. Specifically, OGNL enables the evaluation of EL expressions in Apache Struts, which is the commonly used development framework for Java-based web applications in enterprise environments.
The most critical vulnerabilities on the list of Apache Struts CVEs relate to OGNL expression injection attacks, which enable evaluation of invalidated expressions against the value stack, allowing an attacker to modify system variables or execute arbitrary code.
OGNL is infamous for related vulnerabilities found in the Struts 2 framework that relies on it. Because OGNL has the ability to create or change executable code, it is also capable of introducing critical security flaws to any framework that uses it. For example, it is possible for the attacker to inject OGNL expressions (which can execute arbitrary malicious Java code), when an OGNL expression injection vulnerability is present.

Damn Vulnerable Java (EE) Application -
https://github.com/appsecco/dvja

Reference links:
  / os-command-injection  
http://www.pwntester.com/blog/2014/01...
https://breakfix.co/posts/apache-stru...
https://secops.group/ognl-injection-d...

-----------------
CHAPTERS
0:00 Intro
0:42 What is J2EE ?
1:14 What is OGNL Injection ?
2:38 J2EE Scan Burp extension
3:09 Google dorks to find target website
5:33 Vulnerable lab to test J2EE Application
6:01 Demo Time
17:28 Case study
19:50 Final Thoughts
-----------------