Server side tempalate injection
Download as PPTX, PDF1 like486 views
The document is a presentation on server-side template injection (SSTI) by Narendra Kumar, discussing the definition of templates and template engines, and how SSTI vulnerabilities can arise from untrusted user input. It includes examples of various template engines like Twig and Smarty, detection techniques, and exploitation methods. Additionally, it highlights the importance of security considerations and provides references for further reading on the topic.
![What is template injection
Example 1: Marketing application for bulk emails
$output = $twig->render("Dear {first_name},", array("first_name" =>
$user.first_name) );
Example 2:
$output = $twig->render($_GET['custom_email'], array("first_name" => $user.first_name) );
Note: Customize input arise problems
A template injection may occur when an untrusted input is concatenated to a template file](https://image.slidesharecdn.com/serversidetempalateinjectionnullbhopal-171230180945/85/Server-side-tempalate-injection-10-320.jpg)
![Detection of SSTI
• Ex 1: smarty
Hello ${7*7}
Hello 49
• Ex2: freemarker
Hello ${7*7}
Hello 49
• Other payloads syntax:
{ var} ${var} {{var}} <%var%> [%var%]](https://image.slidesharecdn.com/serversidetempalateinjectionnullbhopal-171230180945/85/Server-side-tempalate-injection-13-320.jpg)
Server side tempalate injection
- 1. BY : Narendra Kumar @0ddhawk SERVER SIDETEMPALATE INJECTION Null Bhopal 17 DEC 2017
- 2. Agenda • Introduction • Template /template engines • Detect • Identify • Exploit
- 4. What is template? • Layout /predefine structure • Might need to provide specific information before its usable. • Produces HTML • Reduce typing • Faster
- 5. Example • Welcome to Null meet • Null meets are open for everyone Produce HTML • <h1>Welcome to Null meet</h1> • Null meets are open for everyone Classic HTML • H1 Welcome to Null meet • P Null meets are open for everyonetemplate
- 6. What is template engine ? Template Data Template Engine Resulting Document
- 7. Example : • Welcome to OWASP • OWASP meets are open for everyoneProduce • {name : ‘OWASP’ • Category : ‘meets are open for everyone’}Data • <h1>Welcome to<%=name%><h1> • <p><%=name%><%=category%></p>Template
- 8. Type of template engines • Freemarker • Velocity • Smarty • Twig/Twig sandbox • Jade • EJS etc.
- 9. What is template injection?
- 10. What is template injection Example 1: Marketing application for bulk emails $output = $twig->render("Dear {first_name},", array("first_name" => $user.first_name) ); Example 2: $output = $twig->render($_GET['custom_email'], array("first_name" => $user.first_name) ); Note: Customize input arise problems A template injection may occur when an untrusted input is concatenated to a template file
- 11. Template engine behavior • Plaintext context • Code context
- 12. Plain context • Template engine syntax: • Ex 1: smarty • Hello {user.name} Hello user1 • Ex 2: Freemarker • Hello ${username} Hello user2
- 13. Detection of SSTI • Ex 1: smarty Hello ${7*7} Hello 49 • Ex2: freemarker Hello ${7*7} Hello 49 • Other payloads syntax: { var} ${var} {{var}} <%var%> [%var%]
- 14. Code Context • Ex 1: personal_greeting=username Hello user01 Breaking out template • personal_greeting=username<tag> Expected error/empty string personal_greeting=username}}<tag> Hello user01 <tag>
- 15. First step done
- 16. How to identify template engine •language-specific payloads decision tree Note: this technique fails when error messages are suppressed Example: the probe {{7*'7'}} would result in 49 in Twig, 7777777 in Jinja2
- 17. Time to get ready
- 18. Exploit • Read |-cover basic syntax |-Security considerations-chances are whoever developed the app you're | testing didn't read this, and it may contain some useful hints |- built-in methods, functions, filters, and variables |-extensions/plugins - some may be enabled by default • Explore • Default objects provided by template/application : self • If no builtin self object : burteforce variable name(developer supplied objects are particularly contain sensitive information) • Attack • firm idea of the attack surface available to you
- 19. Demo
- 20. References • http://blog.portswigger.net/2015/08/server-side- template-injection.html • https://github.com/twigphp/Twig/blob/e22fb8728 b395b306a06785a3ae9b12f3fbc0294/lib/Twig/Envi ronment.php#L874 • https://twig.symfony.com/ • http://mrbool.com/understanding-twig-php- template-engine/32460