Working of SSTI (Server-Side Template Injection)
An SSTI occurs when a malicious user is permitted to use native template syntax to inject a malevolent payload into a template, which is then executed on the server-side.
Template engines are designed to create web pages by merging fixed templates with dynamic data. SSTI attacks can happen when a user inputs information and it is concatenated straight into the template, rather than passing it in the form data. It lets malicious users inject random template commands that can distort the template engine, usually, it allows them to take full control over the server.
For example,
Template = “UserName:” + Input
render(template)
- In the above example, the “Input” is a part of the template. Hence, a user can input either the username or some other parameter of a web app, like some arbitrary codes. Thus a user can input something like.
Username: {{9*9}}
Username 81
- As can be seen above, the SST engine processes the input {{9*9}} and gives 81 as the output. This demonstrates that the web app is vulnerable.
- And if the web app is found to be vulnerable, an attacker can even enter some malicious code to gain full remote access. For example,
About:{{Malicious Code()}}
Detection of SSTI :
SSTIs can be detected by the plain text detection method or by the code context detection method.
- Plain text detection method –
Plain text detection can be used to detect SSTIs, in this some of the commonly used template expressions can be used by the tester.
For example: {{8*5}}, ${2*7}, {{8/0}}, <%= 5/0 %>, ${foobar}, {{9*9}}, etc.
- Code context detection –
In this, a payload can be used to fetch an error response. For example, an HTTP GET parameter can be used to insert a variable in a template statement.
For example: Greet_user = username
Hello user_x
- If the payload server responds with just blank “Hello”. Then the tester can break out of the template statement and inject an HTML tag. For example,
Greet_user = username
Hello
- Now, injecting HTML tag.
Greet_user = username}}<tag>
Hello user_x <tag>
Preventions
Preventions for server-side template injection can vary based on the template engine used. Though sandboxing and sanitization can be used to prevent this vulnerability.
- Sandboxing –
It is used to create an isolated test environment on a network that imitates end-user operating environments, in which a user can run, analyze, or observe code. It avoids threats from getting into the network and also helps in inspecting untrusted or untested code. - Sanitization –
Templates shouldn’t be generated from the user-controlled input. The user should pass the input to the template only by using template parameters. Sanitize the input before passing it to the templates by eliminating undesirable and unsafe characters before parsing the information. This reduces the vulnerabilities for any mischievous investigating of your templates.
Server-Side Template Injection
SSTs (Server-Side Templates) facilitate easy dynamic HTML generation, but they are susceptible to SSTI attacks. While SSTs enhance webpage customization and performance by processing user information directly on the server, their vulnerability underscores the importance of robust security measures in web development.