SSTI (Server-Side Template Injection)¶
Vulnerability Name¶
Server-side template injection on [Parameter] in [Module/Functionality]
Vulnerability Description¶
Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server.
As the name suggests, server-side template injection payloads are delivered and evaluated server-side, potentially making them much more dangerous than a typical client-side template injection.
Add your specific vulnerability description if required, the one given above is a general description.
Payload¶
Steps to Reproduce¶
- Go to [Affected URL].
- Intercept the request in burp suite and send it to repeater.
- Change the value of [Vulnerable Parameter] to the above payload and send the request.
- Observe as the payload executes in the response.
POC¶
Modify the steps to reproduce above if required. Attach snapshots (POC) or a video link here.
Impact¶
At the severe end of the scale, an attacker can potentially achieve remote code execution, taking full control of the back-end server and using it to perform other attacks on internal infrastructure.
Even in cases where full remote code execution is not possible, an attacker can often still use server-side template injection as the basis for numerous other attacks, potentially gaining read access to sensitive data and arbitrary files on the server.
Add your specific impact if required, the one given above is a general impact.
Remediation¶
- One of the simplest ways to avoid introducing server-side template injection vulnerabilities is to always use a "logic-less" template engine, such as Mustache, unless absolutely necessary.
- Separating the logic from the presentation as much as possible can greatly reduce your exposure to the most dangerous template-based attacks.
- Another measure is to only execute users' code in a sandboxed environment where potentially dangerous modules and functions have been removed altogether.
Add your specific remediation if required, the above is a general remediation.