Server Side Template Injection by Mandeep Jadon
1 like•537 views
This document discusses server-side template injection (SSTI) vulnerabilities that can allow remote code execution on modern web applications. It begins with an introduction to templating engines and SSTI vulnerabilities. It then covers detecting, identifying, and exploiting SSTI vulnerabilities, providing examples using the Python Flask framework. It concludes with recommendations for preventing SSTI, such as not allowing user-modified templates and executing user code in a restricted sandbox.
![SSTI Continued ….
An example of vulnerable code see the following one:
$output = $twig->render("Dear " . $_GET['name’]);
In the previous example part of the template itself is being dynamically
generated using the GET parameter name. As template syntax is evaluated
server-side, this potentially allows an attacker to place a server-side
template injection payload inside the name parameter as follows:
http://vulnerable-website.com/?name={{bad-stuff-here}}](https://image.slidesharecdn.com/server-sidetemplateinjectionssti-210911091618/85/Server-Side-Template-Injection-by-Mandeep-Jadon-10-320.jpg)
![Python Flask SSTI RCE Case Study
(Demo)
Walkthrough of the App
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
Understanding MRO
Understanding Python Inheritance
Finding the correct classes
RCE](https://image.slidesharecdn.com/server-sidetemplateinjectionssti-210911091618/85/Server-Side-Template-Injection-by-Mandeep-Jadon-16-320.jpg)
Server Side Template Injection by Mandeep Jadon
- 1. Server-Side Template Injection (SSTI) : RCE for Modern Web App Mandeep Jadon Security Analyst @ Flipkart
- 2. About Me Regular Infosec Enthusiastic 5 Years into Corporates , 7 years into security Security Analyst @Flipkart |Ex Fiserv , KPMG ,TCS Mostly into Application Security Side and code reviews . Lot to learn More Slightly into Bug Bounties Extremely inclined to Music Travelling
- 3. Setting Expectations Things to Expect from this Session Basic Understanding of SSTI and not just {{7*7}} In Depth working of some of the payloads used Code reviews Memes Things not to expect from this session SSTI Ninja , Even I am still learning RCE in 1 min . BOOM !!
- 4. Table of Contents Templating Engines SSTI Constructing a server-side template injection attack Detect Identify Exploit Examples Python Flask SSTI RCE Case Study Preventing SSTI
- 5. Templating Engines A template engine enables you to use static template files in your application. At runtime, the template engine replaces variables in a template file with actual values, and transforms the template into an HTML file sent to the client. Template engines are designed to combine templates with a data model to produce result documents which helps populating dynamic data into web pages. Template engines can be used to display information about users, products etc. This approach makes it easier to design an HTML page.
- 6. Templating Engines Continued….. Some of the most popular template engines can be listed as the followings: PHP – Smarty, Twigs Java – Velocity, Freemaker Python – JINJA, Mako, Tornado JavaScript – Jade, Rage Ruby – Liquid
- 7. Templating Engines Continued….. Static templates that simply provide placeholders into which dynamic content is rendered are generally not vulnerable to server-side template injection. The classic example is an email that greets each user by their name, such as the following extract from a Twig template: $output = $twig->render("Dear {first_name},", array("first_name" => $user.first_name) );
- 8. Demo Code Twig Template Example There are two kinds of delimiters: {% ... %} and {{ ... }}. The first one is used to execute statements such as for-loops, the latter outputs the result of an expression.
- 9. SSTI Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side. Template engines are designed to generate web pages by combining fixed templates with volatile data. Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server. Does the above statement rings a bell ? Is there another very popular vulnerability in OWASP Top 10 similar to above ?
- 10. SSTI Continued …. An example of vulnerable code see the following one: $output = $twig->render("Dear " . $_GET['name’]); In the previous example part of the template itself is being dynamically generated using the GET parameter name. As template syntax is evaluated server-side, this potentially allows an attacker to place a server-side template injection payload inside the name parameter as follows: http://vulnerable-website.com/?name={{bad-stuff-here}}
- 12. Constructing a server-side template injection attack Identifying server-side template injection vulnerabilities and crafting a successful attack typically involves the following high-level process.
- 13. Detect As with any vulnerability, the first step towards exploitation is being able to find it. Perhaps the simplest initial approach is to try fuzzing the template by injecting a sequence of special characters commonly used in template expressions, such as ${{<%[%'"}}%. If an exception is raised, this indicates that the injected template syntax is potentially being interpreted by the server in some way. This is one sign that a vulnerability to server-side template injection may exist.
- 14. Identify Although there are a huge number of templating languages, many of them use very similar syntax that is specifically chosen not to clash with HTML characters. As a result, it can be relatively simple to create probing payloads to test which template engine is being used. Simply submitting invalid syntax is often enough because the resulting error message will tell you exactly what the template engine is, and sometimes even which version. For example, the invalid expression <%=foobar%> triggers the following response from the Ruby-based ERB engine: (erb):1:in `<main>': undefined local variable or method `foobar' for main:Object (NameError) from /usr/lib/ruby/2.5.0/erb.rb:876:in `eval' from /usr/lib/ruby/2.5.0/erb.rb:876:in `result'
- 15. Exploit LAB Basic server-side template injection Basic server-side template injection (code context)
- 16. Python Flask SSTI RCE Case Study (Demo) Walkthrough of the App {{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }} Understanding MRO Understanding Python Inheritance Finding the correct classes RCE
- 17. Quick Exercise for You Can you find the bug in the code shared
- 18. Prevent SSTI The best way to prevent server-side template injection is to not allow any users to modify or submit new templates. Another measure is to only execute users' code in a sandboxed environment where potentially dangerous modules and functions have been removed altogether. Finally, another complementary approach is to accept that arbitrary code execution is all but inevitable and apply your own sandboxing by deploying your template environment in a locked-down Docker container, for example.
- 20. Ways to reach me https://twitter.com/1337tr0lls https://in.linkedin.com/in/mandeepjadon Blog : https://medium.com/@ciph3r7r0ll Github : https://github.com/mandeepjadon Sources: Portswiggers Labs