Daemon Of Hacking
  • WELCOME!
    • 👋/home/usr/KruKnight
  • METHODOLOGIES & RESOURCES
    • Passwords & Attacks
    • Post Exploitation
      • 👀Situational Awareness
      • 🖥️Privilege Escalation
        • Linux Privilege Escalation
        • Windows Privilege Escalation
  • Writeups
    • CyCtf 2024
      • Vending Machine
      • Aerospace
      • OhMyCell
    • Portswigger Labs
      • Authentication
        • Username enumeration via different responses
        • 2FA simple bypass
        • Password reset broken logic
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken Brute-Force Protection, IP Block
        • Username enumeration via account lock
        • 2FA broken logic
        • Brute-forcing a stay-logged-in cookie
        • Offline password cracking
        • Password reset poisoning via middleware
        • Password brute-force via password change
        • Broken brute-force protection, multiple credentials per request
      • Os Command Injection
        • OS command injection, simple case
        • Blind OS command injection with time delays
        • Blind OS command injection with output redirection
        • Blind OS command injection with out-of-band interaction
        • Blind OS command injection with out-of-band data exfiltration
      • Cross-Origin Resource Sharing (CORS)
        • CORS vulnerability with basic origin reflection
        • CORS vulnerability with trusted null origin
        • CORS vulnerability with trusted insecure protocols
      • Server-side template injection
        • Basic server-side template injection
        • Basic server-side template injection (code context)
      • Server-Side Request Forgery (SSRF)
        • Basic SSRF against the local server
        • Basic SSRF against another back-end
        • Blind SSRF with out-of-band detection
        • SSRF with blacklist-based input filter
        • SSRF with filter bypass via open redirection vulnerability
      • Path Traversal
  • 🟩HTB Writeups
    • Heal
Powered by GitBook
On this page
  • What is Server-Side Template Injection?
  • How Does It Happen?
  • Impact of SSTI
  • Constructing an SSTI Attack
  • 1. Detect
  • 2. Identify the Template Engine
  • 3. Exploit
  • Attack
  • Steps to Test for SSTI
  • Advanced SSTI Techniques
  • Mitigations for SSTI

Was this helpful?

  1. Writeups
  2. Portswigger Labs

Server-side template injection

What is Server-Side Template Injection?

Server-Side Template Injection (SSTI) occurs when an attacker is able to inject malicious payloads into a server-side template. These payloads are then executed on the server due to improper handling of user input.

How Does It Happen?

  • SSTI arises when user input is directly concatenated into a template rather than being passed as sanitized data.

  • Example of safe code (user input is treated as data)

$output = $twig->render("Dear {first_name}, ", array("first_name" => $user.first_name));

Example of vulnerable code (user input is concatenated):

$output = $twig->render("Dear " . $_GET['name']);

Attack URL:

http://vulnerable-website.com/?name={{bad-stuff-here}}

Impact of SSTI

At the severe end, SSTI can lead to:

  1. Remote Code Execution (RCE): Execute arbitrary commands on the server.

  2. Sensitive Data Exposure: Gain access to environment variables or sensitive files.

  3. Other Attacks: Use SSTI as a basis for XSS, SSRF, or further escalation.

Constructing an SSTI Attack

The process can be divided into four phases:

  1. Detect

  2. Identify

  3. Exploit

  4. Escalate (Read, Explore, Attack)

1. Detect

Detecting SSTI is challenging but critical. Use fuzzing or specific payloads to observe how the input is processed.

How to Detect SSTI

  • Inject special characters used in template syntax (${{<%[%'"}}%).

  • If an exception or error message is triggered, it might indicate SSTI.

Example: Mathematical Operation

  • Inject the payload:

http://vuln-website.com/?username=${7*7}

If the output is:

Hello 49

  • This confirms SSTI as the server interpreted the template syntax.

Code Context Detection

If the server uses template syntax for rendering:

greeting = getQueryParameter('greeting');
engine.render("Hello {{"+greeting+"}}", data)

  1. Test for XSS:

http://vuln-website.com/?greeting=data.username<tag>

Inject template syntax to escape the statement:

http://vuln-website.com/?greeting=data.username}}<tag>

  • If output is: Hello Mary<tag> → SSTI is present.

  • If an error occurs → Possibly no SSTI or a different engine.

2. Identify the Template Engine

Once a potential SSTI is detected, the next step is identifying the template engine.

Techniques for Identification

  1. Invalid Syntax Testing

    • Submit invalid syntax and observe the error message:{{7/0}} Example Error (Ruby-based ERB engine):

(erb):1:in `<main>': undefined local variable or method `foobar' for main:Object (NameError)

  1. Test Engine-Specific Payloads

  • Different template engines interpret payloads differently:

Payload: {{7*'7'}}
Twig Output: 49
Jinja2 Output: 7777777

  1. Common Syntax Examples:

${}
${foobar}
{{7*7}}
{{foobar}}
<%= 7/0 %>

3. Exploit

After identifying SSTI, the next step is exploitation. The level of exploitation depends on the template engine and server context.

Read

  1. Study Documentation:

    • Understand the template engine’s syntax and features.

    • Example for Python-based Mako template engine

<%
import os
x = os.popen('id').read()
%>
${x}

  1. Read About Security Implications:

    • Identify known vulnerabilities and exploit techniques.

Explore

  • Many template engines expose powerful objects such as self or environment.

  • Example in Java:

${T(java.lang.System).getenv()}

Attack

  • Escalate from SSTI to RCE or sensitive data access.

  • Example RCE:

{{config.__class__.from_envvar("PATH")}}

Steps to Test for SSTI

  1. Inject payloads containing special characters:

    • Examples: ${{<%[%'"}}%

  2. Look for exceptions or anomalies in the server response.

  3. Test template syntax-specific payloads to confirm exploitation potential.

Advanced SSTI Techniques

1. SSTI in Plaintext Context

  • Output rendered as text (e.g., Hello Mary).

  • Often mistaken for XSS vulnerabilities.

2. SSTI in Code Context

  • Exploit by escaping template syntax and injecting malicious code.

3. Error-Based SSTI

  • Trigger parsing errors to reveal template engine details or sensitive data.

Mitigations for SSTI

  1. Avoid Direct Concatenation:

    • Always pass user input as data, not as part of the template string.

  2. Use Secure Template Engines:

    • Use engines with built-in sanitization or restrict access to dangerous objects.

  3. Validate and Sanitize User Input:

    • Ensure that user input cannot contain template syntax.

  4. Restrict Template Functionality:

    • Limit access to objects, functions, or system calls in the template engine.

  5. Error Handling:

    • Do not expose detailed error messages that could reveal sensitive information.

PreviousCORS vulnerability with trusted insecure protocolsNextBasic server-side template injection

Last updated 5 months ago

Was this helpful?