OGNL injection attack attempts on routes parsing OGNL
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect OGNL injection attempts on routes with errors related to OGNL parsing. Such security activity generally indicates that an attacker is trying to exploit a potential OGNL vulnerability.
Strategy
Monitor OGNL injection attempts ((@appsec.rule_id:dog-000-002 or @appsec.security_activity:attack_attempt.java_code_injection)) on services generating errors related to OGNL expression parsing (@_dd.appsec.enrichment.error_types:ognl.ExpressionSyntaxException).
Generate an Application Security Signal with High severity.
Triage and response
- Consider blocking the attacking IP(s) temporarily to prevent them from reaching deeper parts of your production systems.
- Investigate the errors generated by this attack to identify if any vulnerabilities need to be fixed.
