Unveiling the Secrets of Server-Side Template Injection (SSTI) in Flask and Jinja2

In the world of web security, Server-Side Template Injection (SSTI) is a critical vulnerability that can lead to devastating consequences. It allows attackers to execute arbitrary code on the server, potentially compromising sensitive data and system integrity. In this blog post, we’ll explore SSTI in the context of Flask, a popular Python web framework, and its default templating engine, Jinja2. We’ll walk through how SSTI works, identify vulnerabilities, craft exploits, and ultimately secure your applications.

Server-Side Template Injection occurs when user input is unsafely incorporated into a server-side template, allowing an attacker to inject and execute arbitrary code on the server. Flask, which uses Jinja2 for templating, can be particularly vulnerable if not handled correctly.

Templates and Rendering

Flask uses Jinja2 as its template engine. Jinja2 templates contain static data and dynamic placeholders (e.g., {{ variable }}) that are replaced with actual values during rendering.

User Input in Templates

When user input is directly included in a template without proper sanitization or escaping, it can lead to SSTI. Consider the following example:

<p>Hello, {{ user_input }}!</p>

If user_input is not sanitized, an attacker can inject Jinja2 code.

Jinja2 Expression Injection

Jinja2 allows execution of expressions within {{ }}. These expressions can include variable references, mathematical operations, and function calls. For instance, injecting {{ 7*7 }} will render 49.

Arbitrary Code Execution

By leveraging Jinja2’s capabilities, an attacker can access Python’s global objects and libraries, potentially escalating to executing arbitrary system commands.

As im playing the Besides Bengaluru CTF and Im solvin WEB category CTF. in that that provide us:

The time has come… You finally graduated from your four year trek through university. It is time to join the workforce by getting your first job! Luckily, your friend sent you his company’s job application. Fill it out and see if you can get the job!

Note: The flag is located at /flag.txt

This application is built with Flask and uses templates rendered by Jinja2. How can this combination be exploited?

This was the link: http://host3.metaproblems.com:4155/

so i visited the site and see this!!!

after that i click on job application and in that i saw a form page type like this:

from the description i know it was made in Flask and uses templates rendered by Jinja2.

Use Jinja2-specific payloads to test for injection. Start with a simple payload like {{ 7*7 }}. Submit the form with this payload and check if 49 is displayed.

Then i check whether the comment section is vulnerable by SSTI or not?? so i made simple payload and run this:

and when i apply then you know what happens?? its exploit the scripts 😁

so i know the flag location where its as they told in description that is in /flag.txt so what i craft the payload for this and it was like:

{{ config.__class__.__init__.__globals__['os'].popen('cat /flag.txt').read() }}

Inject this payload into the same input field.

Submit the form with the crafted payload. The response page should now contain the contents of the /flag.txt file, which is your flag.

Boom!! we got the flag which is MetaCTF{somet1mes_th3_r3nderer_goe$_on_b3nder}

Detailed Breakdown of the Exploit Payload:

{{ config.__class__.__init__.__globals__['os'].popen('cat /flag.txt').read() }}config: Refers to Flask’s configuration object.config.class: Accesses the class of the config object.config.class.init: Accesses the constructor method of the config class.config.class.init.globals: Accesses the global variables in the constructor’s scope.[‘os’]: Retrieves the os module from the global variables.popen(‘cat /flag.txt’): Executes the cat /flag.txt command to read the file..read(): Reads the output of the command.

Server-Side Template Injection is a critical vulnerability that can lead to severe security risks. By understanding how SSTI works and how to exploit it, you can better defend your applications against such attacks. Always validate and sanitize user inputs, and be cautious when rendering templates that include user data.

To prevent SSTI, follow these best practices:

Sanitize Inputs: Avoid rendering user input directly in templates. Use proper escaping and sanitization mechanisms.from markupsafe import escape
user_input = escape(user_input)

2. Template Engine Security: Configure the template engine to limit what can be accessed from the template. For example, disable certain global objects or limit the scope of what can be used within the template.

app.jinja_env.globals.update({
'os': None,
'popen': None,
})

3. Regular Security Audits: Perform regular security reviews and audits of your codebase. Use automated tools to detect potential vulnerabilities.

Stay safe and happy hacking!

~By 1cYinfinity