---
title: OGNL injection attack attempts on routes parsing OGNL
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > OGNL injection attack attempts on
  routes parsing OGNL
---

# OGNL injection attack attempts on routes parsing OGNL
Tactic:[TA0001-initial-access](https://attack.mitre.org/tactics/TA0001)Technique:[T1190-exploit-public-facing-application](https://attack.mitre.org/techniques/T1190) 
### Goal{% #goal %}

Detect OGNL injection attempts on routes with errors related to OGNL parsing. Such security activity generally indicates that an attacker is trying to exploit a potential OGNL vulnerability.

### Strategy{% #strategy %}

Monitor OGNL injection attempts (`(@appsec.rule_id:dog-000-002 or @appsec.security_activity:attack_attempt.java_code_injection)`) on services generating errors related to OGNL expression parsing (`@_dd.appsec.enrichment.error_types:ognl.ExpressionSyntaxException`).

Generate an Application Security Signal with `High` severity.

### Triage and response{% #triage-and-response %}

1. Consider blocking the attacking IP(s) temporarily to prevent them from reaching deeper parts of your production systems.
1. Investigate the errors generated by this attack to identify if any vulnerabilities need to be fixed.