Server-Side Template Injection

What is Server-Side Template Injection (SSTI)

Server-Side Template Injection (SSTI) is a security vulnerability that occurs when user input is embedded within server-side templates without proper sanitization or validation. This vulnerability allow attackers to inject and possibly execute arbitrary code on the server, potentially leading to remote code execution (RCE) and complete server compromise.

SSTI happens when a web application uses a template engine to generate dynamic web pages. If user input is directly embedded within a template, and the input is not properly sanitized, an attacker can inject malicious template code.

Common Template Engines

This vulnerability could be found in different web frameworks that use various template engines, such as:

• Jinja2 (Python)
• Twig (PHP)
• Freemarker (Java)
• Thymeleaf (Java)
• Velocity (Java)
• Handlebars (JavaScript)

Detecting Server-Side Template Injection (SSTI)

When detecting a possibility for a Server-Side Template Injection (SSTI), fuzzing the template seems to best possible approach. Try using specific payloads to identify the template engine. For example:

• For Jinja2: {{7*'7'}} if it returns 7777777, it's likely Jinja2
• For Twig: {{7*7}} if it returns 49, it’s likely Twig.

After identifying the template engine used for the web application, confirm the vulnerability by altering the input prameters. Once identified, escalate to remote code execution is possible by running more complex commands or scripts which leads the vulnerability to be more severe.

Lab Example

For this example, I’ll be using the lab provided by PortSwigger on basic Server-Side Template Injection (SSTI). For this lab, I’ll need to delete a file called morale.txt by exploiting this vulnerabilty. Fortunately, we were already told which template used for this lab, which is Embedded Ruby (ERB).

When attempting view the details of the first product, a GET request was send which includes the message generated in the website directly inside the parameter.

Since we know this lab is using ERB template, we can use that as a reference to forge a request. First, I need to confirm the vulnerability my inputing a simple URL-encoded mathematical equation, which is 7*7, . If it was successful, it should return 49 as a result which I was able obtain from the response.

After confirming it, we can escalate it and iniate a payload for a system command which deletes the file morale.txt from Carlos’s home directory. The response returned true and after refreshing the page, the lab was solved. If anyone is interested, PortSwigger also provides more various and indepth challenges on SSTI.

Mitigation

Protection against SSTI can be done by validating and sanitizing user inputs while also using whitelisting to ensure where only safe inputs are accepted and remove any malicious code. Additionally, it is recommended to use the template engine’s built-in functions for rendering variables instead of embedding user input directly. Don’t forget to regularly update template engine and dependencies to the latest versions.

Tools

• TInjA
• SSTImap
• Tplmap

Reference:

1. https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection
2. https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic
3. https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection