Breaking Through the Template Barrier: The Dark Art of Server-Side Injection

During my participation in a recent bug bounty program for a Private Company with Responsible Disclosure, I discovered a Server-Side Template Injection vulnerability that could allow an attacker to execute arbitrary code on the server, potentially resulting in the compromise of sensitive data or complete control over the affected system. Server-side template injection occurs when user input is processed by a web application’s template engine without proper input validation, allowing attackers to inject malicious code into the template. In this report, I will provide a detailed description of the vulnerability, including its impact and steps to reproduce it, as well as suggestions for how to remediate the issue.

Understanding Server-Side Template Injection (SSTI)

Server-Side Template Injection (SSTI) is a security vulnerability that occurs when an application allows untrusted user input to be included in a server-side template, which is then rendered by the application. This can lead to remote code execution (RCE), where an attacker can execute arbitrary code on the server.

SSTI is particularly dangerous because it can be used to bypass security measures that are designed to prevent other types of attacks, such as SQL injection and cross-site scripting (XSS). Additionally, it can be challenging to detect and mitigate, as it can occur in many different types of applications and frameworks.

To understand how SSTI can be exploited, let’s consider an example. Suppose a web application uses a popular template engine, such as Jinja2, to generate HTML content dynamically. The application takes user input as a search query and passes it to the template engine to render search results.

How Does SSTI Work ?

SSTI occurs when an application includes user input in a server-side template without proper sanitization or validation. This allows an attacker to inject code into the template, which is then executed by the server. The code can be used to perform a wide range of actions, including data exfiltration, privilege escalation, and even full server compromise.

SSTI can occur in many different types of applications, including web applications, content management systems, and other server-side frameworks. It can also happen in a variety of template languages, including Python’s Jinja2, Ruby’s ERB, and PHP’s Twig.

How do I found this vulnerability

Step 1: I navigated to the login page and tried to give some random credentials and observe the error as shown in bellow PoC.

Wrong Login Error

Step 2: Thereafter tried to give a payload of template injection and observe the error which shows the mathematical calculation, it was confirmed it was template injection.

Injected Template Injection Payload

Step 3: Later, without wasting any time I reported this vulnerability.

Step 4: Meanwhile I was searching for ways to exploit the vulnerability.

Step 5: After a few trials I got one working Payload through which I was able to read etc/passwd shown in the bellow PoC.

The exploitation of Template Injection Payload

How Can You Detect and Mitigate SSTI ?

Detecting and mitigating SSTI can be challenging, but some best practices can help. These include:

Sanitize User Input: The first step in preventing SSTI is to ensure that all user input is properly sanitized and validated. This means using input validation techniques such as whitelisting, blacklisting, and regular expressions to ensure that only safe data is included in the template.Use Safe Templating Engines: Using a templating engine that is designed to prevent SSTI can also help. Popular templating engines like Jinja2 and ERB have built-in security features that can help prevent SSTI.Limit Template Access: Limiting access to templates can also help prevent SSTI. This means restricting access to template files and ensuring that only authorized users can modify them.Use Content Security Policy (CSP): Content Security Policy (CSP) is a browser feature that allows websites to specify which resources (such as JavaScript, CSS, and images) are allowed to be loaded. By using CSP, you can prevent attackers from injecting malicious code into your site.

Keep Software Up-to-Date: Finally, it’s important to keep all software up-to-date to ensure that known vulnerabilities are patched. This includes the application itself, as well as any third-party libraries and frameworks.

Reply From Company:

Conclusion

SSTI is a severe security vulnerability that can lead to remote code execution and full server compromise. To prevent SSTI, it’s important to properly sanitize user input, use safe templating engines, limit template access, use Content Security Policy (CSP), and keep all software up-to-date. By following these best practices, you can help ensure the security of your applications and protect your users’ data.

Note: I have few more pending unique write ups which I will publishing soon stay tunned.