SSTI & CSTI
SSTI
X-Side Template Injection:-
These Two Types:
Client-Side Template Injection
Server-Side Template Injection
1) Client-Side Template Injection
usually found in JavaScript
for Example
{{<script> alert(’1773’ </script>) }}
this payload to GET to Vulnerability SSTI To XSS (Cros-Side scripting)
Code Vulnerable CSTI
<script id="entry-template" type="text/x-handlebars-template"> <div class="message">{{userInput}}</div> </script>
Exploit CSTI:
{{<script>alert('CSTI')</script>}}
Impact of CSTI
Cross-Site Scripting (XSS): This is the most common result, where an attacker can execute arbitrary JavaScript in the context of the victim's browser.
Data Theft: Attackers can steal cookies, session tokens, or other sensitive data.
Phishing: Attackers can craft convincing phishing attacks by modifying the DOM to present fake login forms or other malicious content.
Remote Code Execution (RCE): In rare cases, if the template engine has server-side capabilities or if there are other weaknesses, attackers might be able to achieve RCE.
Preventing (Mitigation) CSTI
Input Validation and Sanitization: Always validate and sanitize user inputs before incorporating them into templates. Use libraries that are designed to safely handle templates and user inputs.
Escape User Inputs: Ensure that user inputs are properly escaped before being injected into templates. This prevents malicious code from being interpreted as executable code.
Use Trusted Template Engines: Use well-maintained and trusted template engines that have built-in protections against such injections.
Content Security Policy (CSP): Implement CSP headers to restrict the execution of unauthorized scripts, reducing the impact of potential CSTI.
2) Server-Side Template Injection
Code Vulnerable SSTI
Jinja2 (Python):
from flask import Flask, render_template_string, request
from jinja2 import Template
app = Flask(__name__)
@app.route('/')
def index():
name = request.args.get('name', 'world') # Get the 'name' query parameter, defaulting to 'world'
template = Template('<h2>Hello {{ name }}!</h2>')
return render_template_string(template.render(name=name))
if __name__ == '__main__':
app.run(debug=True, host='0.0.0.0')
Thymeleaf (Java):
@Controller
public class GreetingController {
@RequestMapping("/greet")
public String greet(@RequestParam(name="name", required=false, defaultValue="World") String name, Model model) {
model.addAttribute("name", name);
return "greet";
}
}
Identifying and Exploiting SSTI
Initial Testing: Inject common template syntax like
${7*7}
,{{7*7}}
, or<%= 7*7 %>
into user inputs and observe the output.Confirming SSTI: If the application outputs
49
or equivalent computation results, it indicates an SSTI vulnerability.Payload Crafting: Once confirmed, craft payloads to execute more complex expressions or functions. For example, in Jinja2
{{ config.items() }}
{{ request.application.__globals__.__builtins__.__import__('os').popen('ls').read() }}
Mitigation Strategies
Input Sanitization: Always sanitize and validate user inputs.
Context-Aware Escaping: Use appropriate escaping mechanisms for the context where user input is included.
Template Engine Configuration: Configure template engines securely by disabling unnecessary features and restricting execution environments.
Use Safe Substitutions: Avoid direct inclusion of user inputs in templates. Use safe functions or methods provided by the template engine.
Last updated