Expression Language injection or EL Injection for short is an attack vector I'd never heard of until recently. This post talks about leveraging EL for RCE.
Before getting into the post, this isn't anything brand new or leet in the area
of XML External Entity (Blind XXE) attacks, it is purely something I came across
and wanted to share.
This post will discuss an issue I found regarding CSV injection on Pornhub.com,
allowing a remote attacker to inject malicious code into video titles resulting
in potential full compromise of content creators
In this post, I will discuss several methods and remediation steps that can be
used to help escape and mitigate CSV
[https://support.office.com/en-gb/article/Import-or-export-text-txt-or-csv-files-5250ac4c-663c-47ce-937b-339e391393ba]
(Comma separated values) injection type