- Thread Author
- #1
SSTI Server Side Template Injection
What is Server Side Template Injection?
Server-Side Template Injection (SSTI) is a web use of a collection engine that takes advantage of the non-valuable.
What is the template engine?
A template engine allows you to create static template files that can be reused in your application.
Example of a page that stores information about a user
/profile/<user>.
The code might look like this in Python's Flask (for example)
It combines the codes and merges into this. In terms of this content, it can be dynamically loaded for the user to format a page.
Note: Flask is the web framework, Jinja2 is the machine used.
How can SSTI be exploited?
Consider the code above, specifically the template string. The variable user (with user input) is combined directly in the template instead of being passed as data. This means that anything provided as user input will be interpreted by the engine.
Note: The template engines themselves are not vulnerable, but rather an unsafe practice by the developer.
What is the effect of SSTI?
As the name suggests, SSTI is a server-side exploit rather than a client-side exploit like cross-site scripting (XSS).
This means that the vulnerabilities are even more critical because the server would have to be compromised rather than an account on the website (common use of XSS).
The possibilities are endless, but the main goal is often to achieve remote code execution.
How is the SSTI detected?
If it is rendered directly from the user, it means there is a vulnerability. To give an example: If the "49" given to the relevant parameter gives life, we do not say that there is a weakness.
Sample Payload:
GET /ssti/ssti.php?name={{_self.env.registerUndefinedFilterCallback(“shell_exec”)}}{{_self.env.getFilter(“dir”)}} HTTP/1.1
How to Take Precautions?
In order not to be exposed to the SSTI vulnerability, the pre-prepared HTML template should be rendered, not the value received from the user.
What is Server Side Template Injection?
Server-Side Template Injection (SSTI) is a web use of a collection engine that takes advantage of the non-valuable.
What is the template engine?
A template engine allows you to create static template files that can be reused in your application.
Example of a page that stores information about a user
/profile/<user>.
The code might look like this in Python's Flask (for example)
It combines the codes and merges into this. In terms of this content, it can be dynamically loaded for the user to format a page.
Note: Flask is the web framework, Jinja2 is the machine used.
How can SSTI be exploited?
Consider the code above, specifically the template string. The variable user (with user input) is combined directly in the template instead of being passed as data. This means that anything provided as user input will be interpreted by the engine.
Note: The template engines themselves are not vulnerable, but rather an unsafe practice by the developer.
What is the effect of SSTI?
As the name suggests, SSTI is a server-side exploit rather than a client-side exploit like cross-site scripting (XSS).
This means that the vulnerabilities are even more critical because the server would have to be compromised rather than an account on the website (common use of XSS).
The possibilities are endless, but the main goal is often to achieve remote code execution.
How is the SSTI detected?
If it is rendered directly from the user, it means there is a vulnerability. To give an example: If the "49" given to the relevant parameter gives life, we do not say that there is a weakness.
Sample Payload:
GET /ssti/ssti.php?name={{_self.env.registerUndefinedFilterCallback(“shell_exec”)}}{{_self.env.getFilter(“dir”)}} HTTP/1.1
How to Take Precautions?
In order not to be exposed to the SSTI vulnerability, the pre-prepared HTML template should be rendered, not the value received from the user.