how to: server side template injection
In this guide, we will cover what SSTI is, how to spot it, and how to use it (ethically!). We will also...
What is SSTI?
Server Side Template Injection (SSTI) is a vulnerability that arises when user input is improperly validated and directly inserted into a server-side template engine. This can allow an attacker to inject their own code into the server-side template, potentially leading to remote code execution (RCE) on the target server.
Here’s an example of SSTI vulnerability in Python’s Jinja2 template engine:
from jinja2 import Template
template = Template("Hello {{name}}!")
result = template.render(name=request.args.get('name'))
In this example, the name
parameter is directly inserted into the template without proper validation. This could allow an attacker to execute arbitrary code by injecting malicious code into the name
parameter.
How to Spot SSTI?
SSTI vulnerabilities can be difficult to spot, but there are a few telltale signs to look out for:
- User input is directly inserted into a server-side template engine, such as Jinja2, Mako, or Twig.
- The server-side template engine does not properly validate the input.
- The input is being used to evaluate code within the template.
If you come across any of these signs, it’s likely that you’ve found an SSTI vulnerability.
How to Use SSTI?
Now that we know what SSTI is and how to spot it, let’s talk about how to use it.
You can use SSTI to inject code into a server-side template in order to retrieve sensitive information or perform actions on the target server.
Here’s an example of how to use SSTI:
from jinja2 import Template
template = Template("Hello {{flag}}!")
result = template.render(flag="CTF{abcdefg}")
In this example, we’ve injected the flag into the template using the flag
parameter. By rendering the template, we can retrieve the flag in the result.
In a real case, you will probably have to pass the flag directly on the site rather than on the code of course, but this example is easier to imagine.
How to Solve SSTI Challenges?
Finally, let’s go over some tips on how to solve SSTI challenges.
When attempting to solve an SSTI challenge, it’s important to understand the server-side template engine being used, as well as any potential filters or restrictions on the input. You should also try to inject simple code snippets first, in order to test whether the vulnerability is present.
Here’s an example of how to solve an SSTI challenge:
from jinja2 import Template
template = Template("Hello {{name.upper()}}!")
result = template.render(name="{{config.items()}}")
In this example, we’ve injected a code snippet into the name
parameter that retrieves the server’s configuration. By rendering the template, we can retrieve the configuration in the result.
SSTI is a fun vulnerability that should be taken seriously. By following the tips in this guide, you might be well on your way to spotting and solving SSTI challenges.