0Sec
0Sec
0Sec
  • Spider Security
  • offensive security
    • OSCP
      • WriteUps
        • PortSwigger
          • SQL injection labs
          • Exploiting XXE to retrieve data by repurposing a local DTD
        • PentesterLabs
          • Recon
        • HTB
          • BoardLight
          • Lame
        • THM
          • Walkthroughs
            • Attacktive Directory
            • LineKernel
            • Day 1 — Linux PrivEsc
          • CTF
            • Page
            • BLUE
            • mKingdom
            • RazorBlack
      • Module 1 (General Info)
      • Module 2 (Getting Kali)
        • Leason 1 - Booting Up Kali Linux
        • Leason 2 - The Kali Menu
        • Leason 4 - Finding Your Way Around Kali
        • Leason 5 - Managing Kali Linux Services
      • Module 3 (CLI)
        • The Bash Environment
        • Piping and Redirection
        • Text Searching and Manipulation
          • Regular
        • Managing Processes
        • File and Command Monitoring
      • Module 4 (Practical Tools)
        • Netcat
        • Socat
        • PowerShell & Powercat
        • Wireshark
        • Tcpdump
      • Module 5 (Bash Script)
      • Module 6 (Passive Info Gathering)
      • Module 7 ( Active Info Gathering)
      • Module 8 (Vulnerability Scanning)
      • Module 9 (Web Application Attacks)
        • Cross Site Scripting (XSS)
        • local file inclusion & remote file inclusion
          • Exploit LFI
        • SQL injection
          • Blind Boolean based SQL & Evasion Techniques
          • SQL
          • Login bypass List
        • File upload
        • Remote code execution
      • Module 10 ( Intro Buffer OverFlow)
      • Module 11 (Widows Buffer OverFlow)
        • Buffer OverFlow Challange
      • Module 12 (Linux Buffer OverFlows)
      • Module 13 (Clint Side Attacks)
      • Module 14 (Locating Public Exploits)
      • Module 15 (FIxing Exploits)
      • Module 16 (File Transfers)
      • Module 17 (Antivirus Evasion)
        • Windows
      • Module 18 (Privllege Escalation)
        • Windows
          • Checklist
          • THM - Windows PrivEsc Arena
        • Linux
          • Checklist
          • Linux PrivEsc Arena
      • Module 19 (Password Attacks)
      • Module 20 (Port Redirection and Tunneling)
      • Module 21 (Active Directory Attacks)
        • adbasics_v1.2
      • Module 22 (Metasploit Framwork)
      • Module 23 (Powershell Empire)
      • Course Materials
  • SANS
  • AppSec
    • EWAPTX
      • PHP Type Juggling
      • CSP
      • SqlI
        • Information_schema
        • WriteUps
      • SSTI & CSTI
      • XSS_HTML Injection
      • CORS Attack
      • Clickjacking
      • Open redirect
      • JSONP
      • LFI && LFD && RFI
      • HTTP Host header attacks
      • CSRF
      • XML injection
      • XML external entity (XXE) injection
      • APIs & JWT attacks
      • Insecure Deserialization
      • OAUTH 2.0 authentication vulnerabilities
      • Host Header Injection
      • Insecure Direct Object References (IDOR)
  • Reverse Eng & Malware dev
    • Internals
      • Windows internals
        • Topics in GitHub
        • Chapter 1 Concepts and tools
        • Chapter 2. System architecture
        • Chapter 3. Processes and jobs
        • Chapter 4. Threads
        • Chapter 5. Memory management
        • Chapter 6. I/O system
        • Chapter 7. Security
      • Linux internals ⇒ Soon
      • MacOs X internals ⇒ Soon
  • cheat sheet
    • Pentest_Notes
    • Linux BOF & Wireless Attacks
    • WriteUps
Powered by GitBook
On this page
  • SSTI
  • 1) Client-Side Template Injection
  • 2) Server-Side Template Injection
  1. AppSec
  2. EWAPTX

SSTI & CSTI

SSTI

X-Side Template Injection:-

These Two Types:

  1. Client-Side Template Injection

  2. Server-Side Template Injection

1) Client-Side Template Injection

usually found in JavaScript

for Example

{{<script> alert(’1773’ </script>) }}

this payload to GET to Vulnerability SSTI To XSS (Cros-Side scripting)

Code Vulnerable CSTI

<script id="entry-template" type="text/x-handlebars-template"> <div class="message">{{userInput}}</div> </script>

Exploit CSTI:

{{<script>alert('CSTI')</script>}}

Impact of CSTI

  • Cross-Site Scripting (XSS): This is the most common result, where an attacker can execute arbitrary JavaScript in the context of the victim's browser.

  • Data Theft: Attackers can steal cookies, session tokens, or other sensitive data.

  • Phishing: Attackers can craft convincing phishing attacks by modifying the DOM to present fake login forms or other malicious content.

  • Remote Code Execution (RCE): In rare cases, if the template engine has server-side capabilities or if there are other weaknesses, attackers might be able to achieve RCE.

Preventing (Mitigation) CSTI

  1. Input Validation and Sanitization: Always validate and sanitize user inputs before incorporating them into templates. Use libraries that are designed to safely handle templates and user inputs.

  2. Escape User Inputs: Ensure that user inputs are properly escaped before being injected into templates. This prevents malicious code from being interpreted as executable code.

  3. Use Trusted Template Engines: Use well-maintained and trusted template engines that have built-in protections against such injections.

  4. Content Security Policy (CSP): Implement CSP headers to restrict the execution of unauthorized scripts, reducing the impact of potential CSTI.

2) Server-Side Template Injection

Code Vulnerable SSTI

Jinja2 (Python):

from flask import Flask, render_template_string, request
from jinja2 import Template

app = Flask(__name__)

@app.route('/')
def index():
    name = request.args.get('name', 'world')  # Get the 'name' query parameter, defaulting to 'world'
    template = Template('<h2>Hello {{ name }}!</h2>')
    return render_template_string(template.render(name=name))

if __name__ == '__main__':
    app.run(debug=True, host='0.0.0.0')

Thymeleaf (Java):

@Controller
public class GreetingController {
    @RequestMapping("/greet")
    public String greet(@RequestParam(name="name", required=false, defaultValue="World") String name, Model model) {
        model.addAttribute("name", name);
        return "greet";
    }
}

Identifying and Exploiting SSTI

  1. Initial Testing: Inject common template syntax like ${7*7}, {{7*7}}, or <%= 7*7 %> into user inputs and observe the output.

  2. Confirming SSTI: If the application outputs 49 or equivalent computation results, it indicates an SSTI vulnerability.

  3. Payload Crafting: Once confirmed, craft payloads to execute more complex expressions or functions. For example, in Jinja2

{{ config.items() }}
{{ request.application.__globals__.__builtins__.__import__('os').popen('ls').read() }}

Mitigation Strategies

  1. Input Sanitization: Always sanitize and validate user inputs.

  2. Context-Aware Escaping: Use appropriate escaping mechanisms for the context where user input is included.

  3. Template Engine Configuration: Configure template engines securely by disabling unnecessary features and restricting execution environments.

  4. Use Safe Substitutions: Avoid direct inclusion of user inputs in templates. Use safe functions or methods provided by the template engine.

PreviousWriteUpsNextXSS_HTML Injection

Last updated 9 months ago