Server-Side Template Injection

What is SSTI, How Does It Occur and What Are the Risks?

Template engines are one of the common methods used to present dynamic data in web applications. It is extremely easy to add inputs to templates in a way that the developer did not intend, to run XSS, and to exploit Template Injection, a critical security vulnerability, and can be used for a direct attack on the server side, remote code execution (RCE) can be obtained. This vulnerability is due to both developer error and the use of template engine by content management systems (CMS) to deliver functionality..

How to Perform an SSTI Attack?

The SSTI attack consists of 3 main headings;

· Vulnerability Identification

· Identify the Template Engine used

· Exploitation

Let’s start with our first topic, identifying the vulnerability, we have an input screen and the data entered here is reflected to us. Let’s start by entering the “test” data and capture the HTTP request sent with Burp Suite.

Let’s try to identify the vulnerability by manipulating the HTTP request sent. The expression {{{699*627}}} that we enter in the HTTP request will appear as 438273, which is the result of the operation, if the application is vulnerable.

Let’s see the response to the HTTP request we sent.

As we can see, we have been given the answer to the operation, so we understand that the target system is vulnerable. From the table below, we can determine the template engine used by the target system.

According to this table, the system we are targeting uses a Template Engine called “Twig”. Therefore, we will write our payloads according to this system. Let’s send the payload prepared to check that the target system is affected by the RCE vulnerability.

And we received a response from the target system showing the authorizations of the current user, this response shows us that the target system has an RCE vulnerability.

Let’s check that we can exploit this vulnerability with the “Tplmap” tool.

As you can see, we have a command line on the target system and we can now execute commands on the target system.

How Can We Avoid SSTI Attacks?

It is the direct processing of the value received from the user that causes SSTI vulnerabilities. To avoid SSTI vulnerability, a pre-prepared HTML template should be processed instead of the values received from the user.