In this blog, we are going to discuss on Server-Side Template Injection (SSTI) vulnerability and its exploitation. Before directly getting into the details of SSTI vulnerability and exploitation, let us first see what templates are and why they are used in modern web applications.
A Web template is a system that comprises the template engine, data stream, and template resource as specified by the template language. The main work of this template is to automatically generate custom or dynamic web pages based on the supplied input parameter or values.
The template engine generates data in useful content-type like in HTML and using programming language features such as conditional statements and loops helps in output manipulation.
After processing user-supplied data, this data will be directly inserted into a predefined template like an HTML page having all the styles and functionality.
Many developers use this feature of web templates in various content management systems, web applications, etc.
Fig: 1.0 Basic working of web templates
Template engines differ based on the programming language which is being used in the framework. Some of the popular template engines used in building web applications are,
Server-side template injection is when an attacker can use native template syntax to inject a malicious payload into a template as an input, which is then executed server-side.
Template engines are designed to generate web pages by combining fixed templates with dynamic data. Server-side template injection vulnerability occurs when a user input is concatenated directly into a template, rather than passed in as data which is properly validated and sanitized.
Fig: 2.0 Server-side template injection attack scenario
To test for server-side template injection vulnerability
E.g.
E.g.
To identify which template engine is used in target application there are few key points to keep in mind.
E.g.
E.g.
Using all the above-mentioned tricks and techniques, it becomes easy for identification of template engine.
After template engine has been identified successfully, the next step would be to check if there is any way to exploit this vulnerability with maximum impact by making use of template engine documentation.
Fig: 3.0 Flow Chart showing all the template engine detection payloads
In this section we will be discussing about the exploitation of server-side template injection vulnerability. For demonstration purpose we will be using burp web-security academy lab.
This demo application has a blog functionality where a user can comment on the existing blogs. Also, in user profile section user can choose which name he wants to display when commented on a blog post.
Fig:4.0 Application functionality to update name
Fig:4.1 Request sent to repeater
Payload:}}{{7*7}}
Fig: 4.2 inserting simple payload
Fig: 4.3 Response after pressing follow redirect
Fig:4.4 Payload executed successfully
Now to further exploit this vulnerability first we need to identify which template engine is used in this application.
Fig: 4.5 Insert special characters to generate error message
Fig: 4.6 Disclosing template engine information
Now by referring documentation of this template engine we can import system related module in python like OS, system etc. to perform command injection.
In tornado template engine to import a python module following syntax is used.
{% importmodule_name %}
And to execute a statement following syntax is used:
{{ expression }}
For achieving remote code execution using all the available information, the final payload will be:
{% import os%}{{os.system(‘cat /etc/passwd’)}}
In above payload, first python module osis imported in a syntax mentioned above. After that using expression evaluation syntax we make use of system method available inosmodule to run system commands.
Fig:4.7 Payload for remote code execution submitted
Fig:4.8 Payload executes, showing content of /etc/passwd file
https://portswigger.net/web-security/server-side-template-injection
https://www.we45.com/blog/server-side-template-injection-a-crash-course-
https://0x1.gitlab.io/web-security/Server-Side-Template-Injection/
Author,
Gaurish Kauthankar
Attack & Pentest Team
Varutra Consulting Pvt. Ltd.
Introduction In an increasingly interconnected world, the financial industry is becoming more vulnerable to cyber…
Introduction In today's interconnected world, where smartphones are an extension of our lives, ensuring the…
Introduction Unseen and unpredictable, zero-day threats loom as a constant menace to modern businesses. Detecting…
Android penetration testing is a crucial aspect of ensuring the security of Android applications and…
In today's interconnected world, where cybersecurity is of paramount importance, password security plays a crucial…
Introduction to Web & Mobile Application Security Assessment Web and Mobile applications have become an…