SSTI

LogoPayloadsAllTheThings/README.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

a template engine is a software that combines pre-defined templates with dynamically generated data and is often used by web applications to generate dynamic responses. example template enginers are Jinja and Twig

#template
#this loops over all elements in a variable names
{% for name in names %}
Hello {{ name }}!
{% endfor %}

#rendering function
names=["vautia", "21y4d", "Pedant"]

#generated content from the template engine
Hello vautia!
Hello 21y4d!
Hello Pedant!

Server-side Template Injection (SSTI) occurs when an attacker can inject templating code into a template that is later rendered by the server. If an attacker injects malicious code, the server potentially executes the code during the rendering process, enabling an attacker to take over the server completely

MITIGATION

  • ensure that user input is never fed into the call to the template engine's rendering function in the template parameter

    • This can be achieved by carefully going through the different code paths and ensuring that user input is never added to a template before a call to the rendering function

  • harden the template engine by removing potentially dangerous functions that can be used to achieve remote code execution from the execution environment

    • removing dangerous functions prevents attackers from using these functions in their payloads. However, this technique is prone to bypasses

  • a better approach would be to separate the execution environment in which the template engine runs entirely from the web server, for instance, by setting up a separate execution environment such as a Docker container.

PreviousLFINextIDENTIFICATION

Last updated