A Pentester’s Guide to Server Side Template Injection (SSTI)

Divy Kansara

Divy Kansara

Feb 20, 2024

3 Min

TABLE OF CONTENTS

  1. Basics of SSTI
  2. What is Template Engines
  3. Various Template Engines
  4. What is Server-side template injection?
  5. SSTI methodology steps
  6. SSTI in Smarty(PHP)
  7. How to Prevent SSTI?

Basics of SSTI

Before diving into Server-Side Template Injection (SSTI), it’s important to understand the basics of web application template engines.

What is Template Engines

Templating engines can accept a generic document, known as a template, and combine it with a set of variables to create a final document. For example, let’s review an email that an administrator wants to send to their customers.

801.jpg

While it’s possible for the administrator to create a custom email for every order, it is much more convenient to create a template that can be reused multiple times as below example

802.jpg

Various Template Engines

Templating EngineLanguageServer/client Side
Twig,SmartyPHPServer Side
Freemarker,VelocityJava (usually)Server Side
Pug/JadeJavaScriptMostly Server Side
Jinja,Mako,TornadoPythonServer Side
HandlebarsJavaScriptBoth
LiquidRubyVaries

What is Server-side template injection?

A Server-side Template Injection (SSTI) is a security vulnerability that occurs when an attacker is able to inject malicious code into a template using built-in template language constructs. The injected code is then executed on the server-side, which can lead to the compromise of sensitive data or the entire system.

SSTI methodology steps

  • Look for Reflection of our User-controlled input.
  • If our payload is evaluated, Enumerate the templating Engine.
  • We have 2 ways to identify which templating Engine is the website using.

1. Through Error message(Stack trace)

  • Use the polyglot payload as the value of the parameter which is a sequence of special characters such as the following:

799.jpg

It will generate the following error. Based on the below picture we can easily identify that the website is using the django framework.

803.jpg

2. To supply mathematical expressions in curly brackets. Based on the observed rendering of payloads, narrow down the testing to specific template engines that match the observed behaviour.

For example, if the payload #{ 9 * 9 } render as 81, focus on testing for template engines like freemarker (legacy), slim template engine in Ruby, Markaby, Erector HAML (older versions), or the PugJS template engine in Node.js.

804.jpg

SSTI in Smarty(PHP)

We can use the given payloads if we have identified that the application is using smarty template engine. We can use functions like system, passthru, shell_exec and exec in PHP which allows us to execute system commands.

805.jpg

How to Prevent SSTI?

  • Input Validation and Sanitization
  • Use of Safe Templating Engines
  • Code Reviews and Testing
  • Keep the Server and Dependencies Up-to-date
Divy Kansara
Divy KansaraSecurity Analyst
linkedin

Divy Kansara, Certbar Security’s penetration tester, excels in Web R&D with 2 year’s expertise, focusing on Network and Web VAPT. VTU B.Tech graduate.

Share

Share to Microsoft Teams
Header Logo

Attack. Defend. Comply. Privacy.

InstagramTwitterLinkedinFacebook

Register with:

Linkedin

Services

    Penetration TestingAI SecurityData PrivacyManaged Security ServicesComplianceConfiguration Assessment
Copyright © 2019 - 2024 Certbar Security Pvt. Ltd. All rights reserved.