server-side template injection

Greeting Everyone ! Today in this blog post we will explore about SSTI  Vulnerability  this vulnerability is Based On Injection attack . In this Blog we will see How SSTI Work how to find this Vulnerability How to mitigate against Risk.

What is SSTI Server side template injection?

Every website using template engine  this helps to display the dynamic data over the web page template engine are used to display information about user and products iteam of content.. Some time Developer mistakes  Unsafely embedding user input in templates enables Server-Side Template Injection,  this based on attack scenario XSS Or directly attack web servers’ internals  structure and often possible for  Remote Code Execution (RCE).

Some Of Most Popular Templates That used:

  • Smarty,Twigs -> php Template
  • Velocity, Thymeleaf –> java Template
  • Cheetah, juno -> python Template

How It work?

Supposed Below Request sent By us To the server As  To execute against Template injection polyglot payload which is a sequence of special characters and got executed  , EG:{{7*2}} -> Output : 14

server-side template injection 1
A MAP How to Detect Against SSTI
Example Attack:

Here we have Our lab for demonstrate Against SSTI Vulnerability   Now we have vulnerable web app ,

server-side template injection 2

As above lab we have Site which is based On Shoping site Now For Lab We required Burpsuite And Now After Setup burp capture View order request through  Burp ,

server-side template injection 3

As above picture we see It gives us  a parameter which carries some message that product is out of scope now We have One parameter message= For checking vulnerability . Now Change value of message parameter and execute  our polyglot payload <%= 7*7 %>

server-side template injection 4

As above picture we change message parameter value Now As output of Request  from server we manipulated as below screenshot:

server-side template injection 5

As above picture as we manual for the template engine and  output  is t 49 that answer of 7*7 .

Now How template injection could lead to delete Internal structure Or cause to OS command injection , As now we have One file Which os carlos file now using Some command line interface we able to delete those files ,  As Below Screenshot:

server-side template injection 6

As above picture we are able to delete carlos file as we used system command rm to remove <%=+system(“rm+/home/carlos/morale.txt”)+%> This is how template Injection Attack work This is very rarely found security issue On website due to developer mistake or weak configuration of template .

Some Payload’s for SSTI

How to mitigate against risk:
  1. Framework and Library updates up to date .
  2. Input Sanitization validate user input .
  3. Use sandbox withing a safe environment

Conclusion :In this blog we discussed How SSTI Vulnerability work How To test For SSTI Vulnerability As we see example attack scenario how to mitigate against Risk  . Keep Reading Our Blog !

Thanks For Reading……. See You In Another Blog!

Stick With Our Blog :

Author : Pallab Jyoti Borah | VAPT Analyst

Table of Contents

Social Media