![Template Injection -
■ User input is embedded in unsafe manner.
■ Confused by XSS.
Marketing application with email greeting
$output = $twig->render(“Dear, $_GET[‘name’]”, array("first_name" => $user.first_name) );
Name =Tester Name = {{7*7}}
> Dear,Tester > Dear, 49
Name = {{self}}
> Dear, Object of class __TwigTemplate_7ae62e582f8a35e5ea6cc639800ecf15b96c0d6f78db3538221c1145580ca4a5 could not
be converted to string](https://image.slidesharecdn.com/sstippt-190224160034/85/Server-side-template-injection-Slides-6-320.jpg)
![■ Detect –
Plain Text Context
- Can be confused with XSS
- {var} {{var}} ${var} <%var%> [% var %]
- Results in execution or error message.
- a{{var}}b
> Expect : ab or Error message
- a{{7*7}}b
> Expect : a49b
smarty=Hello {user.name}
> Hello user1](https://image.slidesharecdn.com/sstippt-190224160034/85/Server-side-template-injection-Slides-7-320.jpg)
![■ Input Sanitization –
- PHP
- JAVA
- ASP.NET
str_replace( array( ''', '"', ',' , ';', '<', '>','{','}', ), '', $name);
preg_replace('/[^a-zA-Z0-9_ -]/s','',$value);
Text = text.replaceAll ("[^a-zA-Z0-9]", "");
Regex.Replace(Your String, @"[^0-9a-zA-Z:,]+", "")](https://image.slidesharecdn.com/sstippt-190224160034/85/Server-side-template-injection-Slides-19-320.jpg)
Server-side template injection- Slides
- 1. SERVER-SIDE TEMPLATE INJECTION (SSTI) Presented by – Amit Dubey
- 2. Agenda – ■ Introduction to Template Engines ■ Serve-Side Template Injection (SSTI) ■ Impact ■ Mitigation ■ References ■ Case-Studies
- 3. Template Engines – ■ Generates dynamic web pages. ■ Separating business logic with presentation logic. ■ Reusability. ■ Uses.
- 4. Example – ■ PHP – Twig, Smarty, VlibTemplate. ■ Java – Velocity, WebMacros, Freemaker. ■ Python – Jinja2, Django, Mako. ■ JavaScript – Jade, Rage.
- 6. Template Injection - ■ User input is embedded in unsafe manner. ■ Confused by XSS. Marketing application with email greeting $output = $twig->render(“Dear, $_GET[‘name’]”, array("first_name" => $user.first_name) ); Name =Tester Name = {{7*7}} > Dear,Tester > Dear, 49 Name = {{self}} > Dear, Object of class __TwigTemplate_7ae62e582f8a35e5ea6cc639800ecf15b96c0d6f78db3538221c1145580ca4a5 could not be converted to string
- 7. ■ Detect – Plain Text Context - Can be confused with XSS - {var} {{var}} ${var} <%var%> [% var %] - Results in execution or error message. - a{{var}}b > Expect : ab or Error message - a{{7*7}}b > Expect : a49b smarty=Hello {user.name} > Hello user1
- 8. ■ Detect – Code Context - Results in blank results or error messages - Need to breakout the syntax - Results in execution or error message. - personal_greeting=user.name<tag> > Expect : Hello - personal_greeting=user.name}}<tag> > Expect : Hello user01<tag> personal_greeting=user.name > Hello user01
- 9. ■ Identify – - Identify which template engine in use. - {{7*’7’}} will result 49 in Twig and 7777777 in Jinja2 - Burp suite decision making tree to find SSTI
- 10. ■ Exploit – - READ : - Read the documentation. - EXPLORE : - Explore the environment - Brute-force the variables - ATTACK : - Firm idea of attack surface.
- 11. ■ Exploit Development – - Freemaker: One of most famous java template languages. The official website explains the dangers of allowing user-supplied templates: Ref : http://freemarker.org/docs/app_faq.html#faq_template_uploading_security One of the risk we found
- 12. ■ Exploit Development – “new” built-in offers a possibility for exploitation. - Are there any useful classes implementing TemplateModel? One of these class names stands out - Execute
- 13. ■ Exploit Development – Details confirm that function take input and executes. - Let's develop our payload –
- 14. ■ Automated Tool – - Tplmap : Tplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with several sandbox escape techniques to get access to the underlying operating system. - Uses : $ ./tplmap.py -u 'http://www.target.com/page?name=John’ - Link : https://github.com/epinna/tplmap - Burp Extension : https://github.com/epinna/tplmap/blob/master/burp_extension/README.md
- 15. Demonstration - ■ Application used : Xtreme Vulnerable Web Application (XVWA) ■ Back-End Server : Apache ■ Template Engine : Twig ■ Back-End PL : PHP
- 17. Impact - ■ Cross-site scripting ■ Information disclosure ■ Remote Code Execution
- 18. Mitigation - ■ Update Framework/libraries ■ Input Sanitization ■ Sandboxing
- 19. ■ Input Sanitization – - PHP - JAVA - ASP.NET str_replace( array( ''', '"', ',' , ';', '<', '>','{','}', ), '', $name); preg_replace('/[^a-zA-Z0-9_ -]/s','',$value); Text = text.replaceAll ("[^a-zA-Z0-9]", ""); Regex.Replace(Your String, @"[^0-9a-zA-Z:,]+", "")
- 20. Mitigation Demonstration - ■ Input Sanitization
- 22. References - ■ https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side- Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf ■ https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf ■ https://www.we45.com/blog/server-side-template-injection-a-crash-course- ■ https://www.youtube.com/watch?v=3cT0uE7Y87s ■ https://www.phpflow.com/php/php-remove-special-character-fromstring/
- 23. Case-Studies - ■ https://hackerone.com/reports/125980 ■ https://hackerone.com/reports/164224 ■ https://hackerone.com/reports/230232 ■ https://medium.com/@david.valles/gaining-shell-using-server-side-template-injection-ssti- 81e29bb8e0f9 ■ https://medium.com/bugbountywriteup/frapp%C3%A9-technologies-erpnext-server-side- template-injection-74e1c95ec872 ■ http://ha.cker.info/exploitation-of-server-side-template-injection-with-craft-cms-plguin- seomatic/
- 24. Thank You !