SlideShare a Scribd company logo

Server side tempalate injection

Download as PPTX, PDF
Narendra Kumar, profile picture
Narendra Kumar

The document discusses server-side template injection (SSTI), explaining what templates and template engines are, including examples and types such as Twig and Smarty. It highlights how vulnerabilities arise from untrusted input being concatenated with template files, and provides detection methods and exploitation techniques. The document also emphasizes the importance of understanding the template engine's behavior and security considerations when testing applications.

Presentations & Public Speaking
1 of 19
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
SERVER SIDE TEMPALATE INJECTION BY : NARENDRA KUMAR Null|OWASP|G4H 16 DEC 2017 @0ddhawk
Outline • Introduction • Template /template engines • Detect • Identify • Exploit
What is template?
What is template? • Layout /predefine structure • Might need to provide specific information before its usable. • Produces HTML • Reduce typing • Faster
Example • Welcome to Null meet • Null meets are open for everyone Produces HTML • <h1>Welcome to Null meet</h1> • Null meets are open for everyone Classic HTML • H1 Welcome to Null meet • P Null meets are open for everyonetemplate
What is template engine ?
Example : • Welcome to OWASP • OWASP meets are open for everyoneProduce • {name : ‘OWASP’ • Category : ‘meets are open for everyone’}Data • <h1>Welcome to<%=name%><h1> • <p><%=name%><%=category%></p>Template
Type of template engines • Freemarker • Velocity • Smarty • Twig/Twig sandbox • Jade • EJS etc.
What is template injection?
What is template injection Example 1: Marketing application for bulk emails $output = $twig->render("Dear {first_name},", array("first_name" => $user.first_name) ); Example 2: $output = $twig->render($_GET['custom_email'], array("first_name" => $user.first_name) ); Note: Customize input arise problems A template injection may occur when an untrusted input is concatenated to a template file
Template engine behavior • Plaintext context • Code context
Plain context • Template engine syntax: • Ex 1: smarty • Hello {user.name} Hello user1 • Ex 2: Freemarker • Hello ${username} Hello user2
Detection of SSTI • Ex 1: smarty Hello ${7*7} Hello 49 • Ex2: freemarker Hello ${7*7} Hello 49 • Other payloads syntax: { var} ${var} {{var}} <%var%> [%var%]
Code Context • Ex 1: personal_greeting=username Hello user01 Breaking out template • personal_greeting=username<tag> Expected error/empty string personal_greeting=username}}<tag> Hello user01 <tag>
First step done
How to identify template engine •language-specific payloads decision tree Note: this technique fails when error messages are suppressed Example: the probe {{7*'7'}} would result in 49 in Twig, 7777777 in Jinja2
Exploit • Read |-cover basic syntax |-Security considerations-chances are whoever developed the app you're | testing didn't read this, and it may contain some useful hints |- built-in methods, functions, filters, and variables |-extensions/plugins - some may be enabled by default • Explore • Default objects provided by template/application : self • If no builtin self object : burteforce variable name(developer supplied objects are particularly contain sensitive information) • Attack • firm idea of the attack surface available to you
Demo
References • http://blog.portswigger.net/2015/08/server-side- template-injection.html • https://github.com/twigphp/Twig/blob/e22fb872 8b395b306a06785a3ae9b12f3fbc0294/lib/Twig/E nvironment.php#L874 • https://twig.symfony.com/ • http://mrbool.com/understanding-twig-php- template-engine/32460

More Related Content

PDF
Ch. 12 security
Manolis Vavalis
 
PPTX
PowerShell - Be A Cool Blue Kid
Matthew Johnson
 
PDF
"Real-time Collaborative Text Editing on Grammarly’s Front-End Team" Oleksii...
Fwdays
 
PPTX
Tech talk on code quality
Alexander Osin
 
PPT
Generics
Sankar Balasubramanian
 
PDF
walkmod: quick start
walkmod
 
PPTX
Introduction to Javascript By Satyen
Satyen Pandya
 
PDF
walkmod: how it works
walkmod
 
Ch. 12 security
Manolis Vavalis
 
PowerShell - Be A Cool Blue Kid
Matthew Johnson
 
"Real-time Collaborative Text Editing on Grammarly’s Front-End Team" Oleksii...
Fwdays
 
Tech talk on code quality
Alexander Osin
 
Generics
Sankar Balasubramanian
 
walkmod: quick start
walkmod
 
Introduction to Javascript By Satyen
Satyen Pandya
 
walkmod: how it works
walkmod
 

Similar to Server side tempalate injection (9)

PPTX
Server side tempalate injection
Narendra Kumar
 
PPTX
Server Side Template Injection by Mandeep Jadon
Mandeep Jadon
 
PPTX
Server-side template injection- Slides
Amit Dubey
 
PPTX
Basics of Server Side Template Injection
Vandana Verma
 
PDF
Basics of ssti infosec girlswebinar
Shrutirupa Banerjiee
 
PPTX
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Security Bootcamp
 
PDF
Twig, the flexible, fast, and secure template language for PHP
Fabien Potencier
 
PPTX
Use Symfony2 components inside WordPress
Maurizio Pelizzone
 
PDF
Mastering Twig (DrupalCon Barcelona 2015)
Javier Eguiluz
 
Server side tempalate injection
Narendra Kumar
 
Server Side Template Injection by Mandeep Jadon
Mandeep Jadon
 
Server-side template injection- Slides
Amit Dubey
 
Basics of Server Side Template Injection
Vandana Verma
 
Basics of ssti infosec girlswebinar
Shrutirupa Banerjiee
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Security Bootcamp
 
Twig, the flexible, fast, and secure template language for PHP
Fabien Potencier
 
Use Symfony2 components inside WordPress
Maurizio Pelizzone
 
Mastering Twig (DrupalCon Barcelona 2015)
Javier Eguiluz
 
Ad

Recently uploaded (20)

PDF
Parts of Speech Prepositions Presentation in Colorful Cute Style_20250724_230...
ShomailahRashid
 
PPTX
Effective_Handling_Information_Presentation.pptx
HarisKaimKhani
 
PPTX
An Unlikely Response 08 10 2025.pptx
FamilyWorshipCenterD
 
PPTX
Introduction to Effective Communication.pptx
AnithaT18
 
PPTX
Self management and self evaluation presentation
NikkySharma5
 
DOCX
ENGLISH PROJECT FOR BINOD BIHARI MAHTO KOYLANCHAL UNIVERSITY
NewGautamInternateHu
 
PPTX
Relationship Management Presentation In Banking.pptx
ssuser1d0512
 
PDF
Presentation1 [Autosaved].pdf diagnosiss
moibrahim20044
 
PPTX
worship songs, in any order, compilation
wilmalenetoledo
 
PDF
Tunisia's Founding Father(s) Pitch-Deck 2022.pdf
Hafedh Hafez Mechergui
 
PPTX
Intro to ISO 9001 2015.pptx wareness raising
nadianisar5
 
PPTX
ART-APP-REPORT-FINctrwxsg f fuy L-na.pptx
ajp27480
 
PPTX
Anesthesia and it's stage with mnemonic and images
panchalkhushal24
 
PPTX
2025-08-10 Joseph 02 (shared slides).pptx
Dale Wells
 
PPTX
BIOLOGY TISSUE PPT CLASS 9 PROJECT PUBLIC
iamsrinjandatta
 
PDF
natwest.pdf company description and business model
palakbakshi13
 
PPT
First Aid Training Presentation Slides.ppt
WilliamMigoya
 
PPTX
Introduction-to-Food-Packaging-and-packaging -materials.pptx
pragyanlahkar16
 
PPTX
Role and Responsibilities of Bangladesh Coast Guard Base, Mongla Challenges
Tasnim Alam Safin
 
PPTX
Emphasizing It's Not The End 08 06 2025.pptx
FamilyWorshipCenterD
 
Parts of Speech Prepositions Presentation in Colorful Cute Style_20250724_230...
ShomailahRashid
 
Effective_Handling_Information_Presentation.pptx
HarisKaimKhani
 
An Unlikely Response 08 10 2025.pptx
FamilyWorshipCenterD
 
Introduction to Effective Communication.pptx
AnithaT18
 
Self management and self evaluation presentation
NikkySharma5
 
ENGLISH PROJECT FOR BINOD BIHARI MAHTO KOYLANCHAL UNIVERSITY
NewGautamInternateHu
 
Relationship Management Presentation In Banking.pptx
ssuser1d0512
 
Presentation1 [Autosaved].pdf diagnosiss
moibrahim20044
 
worship songs, in any order, compilation
wilmalenetoledo
 
Tunisia's Founding Father(s) Pitch-Deck 2022.pdf
Hafedh Hafez Mechergui
 
Intro to ISO 9001 2015.pptx wareness raising
nadianisar5
 
ART-APP-REPORT-FINctrwxsg f fuy L-na.pptx
ajp27480
 
Anesthesia and it's stage with mnemonic and images
panchalkhushal24
 
2025-08-10 Joseph 02 (shared slides).pptx
Dale Wells
 
BIOLOGY TISSUE PPT CLASS 9 PROJECT PUBLIC
iamsrinjandatta
 
natwest.pdf company description and business model
palakbakshi13
 
First Aid Training Presentation Slides.ppt
WilliamMigoya
 
Introduction-to-Food-Packaging-and-packaging -materials.pptx
pragyanlahkar16
 
Role and Responsibilities of Bangladesh Coast Guard Base, Mongla Challenges
Tasnim Alam Safin
 
Emphasizing It's Not The End 08 06 2025.pptx
FamilyWorshipCenterD
 
Ad

Server side tempalate injection

  • 1. SERVER SIDE TEMPALATE INJECTION BY : NARENDRA KUMAR Null|OWASP|G4H 16 DEC 2017 @0ddhawk
  • 2. Outline • Introduction • Template /template engines • Detect • Identify • Exploit
  • 4. What is template? • Layout /predefine structure • Might need to provide specific information before its usable. • Produces HTML • Reduce typing • Faster
  • 5. Example • Welcome to Null meet • Null meets are open for everyone Produces HTML • <h1>Welcome to Null meet</h1> • Null meets are open for everyone Classic HTML • H1 Welcome to Null meet • P Null meets are open for everyonetemplate
  • 6. What is template engine ?
  • 7. Example : • Welcome to OWASP • OWASP meets are open for everyoneProduce • {name : ‘OWASP’ • Category : ‘meets are open for everyone’}Data • <h1>Welcome to<%=name%><h1> • <p><%=name%><%=category%></p>Template
  • 8. Type of template engines • Freemarker • Velocity • Smarty • Twig/Twig sandbox • Jade • EJS etc.
  • 9. What is template injection?
  • 10. What is template injection Example 1: Marketing application for bulk emails $output = $twig->render("Dear {first_name},", array("first_name" => $user.first_name) ); Example 2: $output = $twig->render($_GET['custom_email'], array("first_name" => $user.first_name) ); Note: Customize input arise problems A template injection may occur when an untrusted input is concatenated to a template file
  • 11. Template engine behavior • Plaintext context • Code context
  • 12. Plain context • Template engine syntax: • Ex 1: smarty • Hello {user.name} Hello user1 • Ex 2: Freemarker • Hello ${username} Hello user2
  • 13. Detection of SSTI • Ex 1: smarty Hello ${7*7} Hello 49 • Ex2: freemarker Hello ${7*7} Hello 49 • Other payloads syntax: { var} ${var} {{var}} <%var%> [%var%]
  • 14. Code Context • Ex 1: personal_greeting=username Hello user01 Breaking out template • personal_greeting=username<tag> Expected error/empty string personal_greeting=username}}<tag> Hello user01 <tag>
  • 16. How to identify template engine •language-specific payloads decision tree Note: this technique fails when error messages are suppressed Example: the probe {{7*'7'}} would result in 49 in Twig, 7777777 in Jinja2
  • 17. Exploit • Read |-cover basic syntax |-Security considerations-chances are whoever developed the app you're | testing didn't read this, and it may contain some useful hints |- built-in methods, functions, filters, and variables |-extensions/plugins - some may be enabled by default • Explore • Default objects provided by template/application : self • If no builtin self object : burteforce variable name(developer supplied objects are particularly contain sensitive information) • Attack • firm idea of the attack surface available to you
  • 18. Demo

Editor's Notes

  • #11: 3:TI occurs when user input is embedded in template why example1 safe?
  • #12: How to detect template engine is in use? Plaintext context what is it?