SSTI
a template engine is a software that combines pre-defined templates with dynamically generated data and is often used by web applications to generate dynamic responses. example template enginers are Jinja and Twig
#template
#this loops over all elements in a variable names
{% for name in names %}
Hello {{ name }}!
{% endfor %}
#rendering function
names=["vautia", "21y4d", "Pedant"]
#generated content from the template engine
Hello vautia!
Hello 21y4d!
Hello Pedant!
Server-side Template Injection (SSTI) occurs when an attacker can inject templating code into a template that is later rendered by the server. If an attacker injects malicious code, the server potentially executes the code during the rendering process, enabling an attacker to take over the server completely
MITIGATION
ensure that user input is never fed into the call to the template engine's rendering function in the template parameter
This can be achieved by carefully going through the different code paths and ensuring that user input is never added to a template before a call to the rendering function
harden the template engine by removing potentially dangerous functions that can be used to achieve remote code execution from the execution environment
removing dangerous functions prevents attackers from using these functions in their payloads. However, this technique is prone to bypasses
a better approach would be to separate the execution environment in which the template engine runs entirely from the web server, for instance, by setting up a separate execution environment such as a Docker container.
Last updated