Bypassing OGNL sandboxes for fun and charities

Overview Object Graph Notation Language (OGNL) is a Java-based expression language frequently used in frameworks like Apache Struts and Atlassian Confluence, which has historically been vulnerable to remote code execution (RCE) attacks due to OGNL injections, such as the notable Equifax breach. Although protection mechanisms have been developed to mitigate these vulnerabilities, researchers like Alvaro Munoz have demonstrated how these can still be bypassed using advanced techniques, such as leveraging AST nodes and using OGNL's inherent features to access restricted classes and execute arbitrary code. Munoz describes various methods to circumvent these protections, including exploiting the OGNL AST to evaluate expressions and leveraging BeanMap and other techniques to bypass sandbox restrictions, ultimately showcasing the challenges in sandboxing expression languages like OGNL. Despite the absence of new vulnerabilities being reported, these findings highlight the ongoing need for robust security measures in applications utilizing OGNL, and the research has led to a $5,600 donation to UNHCR from bug bounty earnings.