Server-Side Template Injection(SSTI)

 

What are Template Engines?

Web developers uses template engines populate dynamic data into modern web pages. This enable them to separate business logic with presentation logic. When web pages come from a web template, they can structure the component of web pages in such a way that can be modified independently of each other. A component can include anything like header, footer, content such as videos, images, audio. Templates Engines are commonly used to:

  • Displays information about users, products, companies
  • Displays gallery of photos, videos.
  • Sell products online
  • Sends bulk emails

Some examples of Template Engines are:

Java (Free marker, Velocity), PHP (smarty, twig), python (Jinja, tornado), ruby (Liquid) have a templating engine and many other languages use libraries to do this kind of work.

 

template-engine

 

template-engine-example

 

A demo code from Smarty Template Engine:

<html>
<head>
   <title>
      User Info
   </title>
</head>
<body>
    User Information:<p>
    Name:{$name}<br>
    Address:{$address}<br>
</body>
</html>

include(‘smarty.class.php’);
//create object
//assign some content. this would typically come from
//a database or other source, but we will use static
//values for the purpose of this example.
$smarty->assign(‘name’,’george smith’);
$smarty->assign(‘address’,’45th & Harris’);

//display it
$smarty->display(‘index.tpl’);

What is Template Injection?

When the user input is embedded in Template files in an unsafe manner. Such kind of attack can be confused with Cross-site Scripting attack.From an Attacker’s view, the XSS attack is well-known and often straightforward to exploit but the SSTI vulnerability can be missed it. The risk is all the greater in that it may lead to an arbitrary remote code execution.

Example of Template Injection:

A Marketing Application with email greeting.

Template Engine: Twig
$output = $twig->render(“Dear, $_GET[‘name’]”, array("first_name" => $user.first_name) );
Name = Tester						Name = {{7*7}}
> Dear, Tester			     		      		> Dear, 49
Name = {{self}}
> Dear, Object of class __TwigTemplate_7ae62e582f8a35e5ea6cc639800ecf15b96c0d6f78db3538221c1145580ca4a5 
could not be converted to string

How to Identify a Template Injection?

 

how-to-identify-template-injection

– {{7*’7’}} will result 49 in Twig and 7777777 in Jinja2

 

Automated Tools:

– Tplmap:

Tplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with several sandbox escape techniques to get access to the underlying operating system.

$ ./tplmap.py -u ‘http://www.target.com/page?name=John’

How can SSTI Impact :

Server-side template injection can impact in various ways from Information disclosure to XSS to Remote Code execution.

How can we mitigate SSTI?

As we now know about Template injection, and how to identify and Exploit it, Now lets move to mitigation part. Mitigation defers depending on which Template Engine is being used. Below are the best suggested mitigations:

  1. Framework and Library updates.
  2. Input Sanitization.
  3. Sandboxing.