Web developers uses template engines populate dynamic data into modern web pages. This enable them to separate business logic with presentation logic. When web pages come from a web template, they can structure the component of web pages in such a way that can be modified independently of each other. A component can include anything like header, footer, content such as videos, images, audio. Templates Engines are commonly used to:
Java (Free marker, Velocity), PHP (smarty, twig), python (Jinja, tornado), ruby (Liquid) have a templating engine and many other languages use libraries to do this kind of work.
include(‘smarty.class.php’);
//create object
//assign some content. this would typically come from
//a database or other source, but we will use static
//values for the purpose of this example.
$smarty->assign(‘name’,’george smith’);
$smarty->assign(‘address’,’45th & Harris’);
//display it
$smarty->display(‘index.tpl’);
When the user input is embedded in Template files in an unsafe manner. Such kind of attack can be confused with Cross-site Scripting attacks. From an Attacker’s view, the XSS attack is well-known and often straightforward to exploit but the SSTI vulnerability can be missed. The risk is all the greater in that it may lead to arbitrary remote code execution.
A Marketing Application with email greeting.
$output = $twig->render(“Dear, $_GET[‘name’]”, array("first_name" => $user.first_name) );
Name = Tester Name = {{7*7}}
> Dear, Tester > Dear, 49
Name = {{self}}
> Dear, Object of class __TwigTemplate_7ae62e582f8a35e5ea6cc639800ecf15b96c0d6f78db3538221c1145580ca4a5
could not be converted to string
– {{7*’7’}} will result in 49 in Twig and 7777777 in Jinja2
– Tplmap:
Tplmap assists in the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with several sandbox escape techniques to get access to the underlying operating system.
$ ./tplmap.py -u ‘http://www.target.com/page?name=John’
Server-side template injection can impact in various ways from Information disclosure to XSS to Remote Code Execution.
As we now know about Template injection, and how to identify and exploit it, Now let’s move to the mitigation part. Mitigation defers depending on which Template Engine is being used. Below are the best-suggested mitigations:
This post was last modified on February 13, 2024 12:17
File inclusion refers to including external files within a web application. These files can be… Read More
The Open Systems Interconnection (OSI) model is a conceptual framework for understanding and standardizing how… Read More
What is Gray Box Pen Testing? Gray box penetration testing is an application security testing… Read More