fbpx

Threat Intelligence Report

Get up-to-date information on web application vulnerabilities, attacks, and how to respond.

Back to Threat Intelligence Report

Server Side Template Injection

Server Side Template Injection

  1. Overview
    Server Side Template Injection (SSTI) vulnerability occurs when templates are structured on the server side and user input values are inserted into existing templates. Attackers exploit template syntax to insert malicious payloads, enabling them to perform actions desired by the attacker.
  2. Attack Process
    SSTI vulnerabilities vary across servers and templates, making the payloads for exploitation differ based on the language and template engine used.

    image.png

Source: https://dokhakdubini.tistory.com/515

Attack servers can be identified by inserting each syntax as shown in the image above, to determine which template they are using.

Example of attack syntax using Smarty Template:

GET /test?q={$smarty.server.SERVER_ADDR} HTTP/1.1
Host: www.sample.com
User-Agent: HTTPie
  1. Countermeasures
    There are two main approaches to counter SSTI vulnerabilities:

1) Sanitization: Avoid generating templates from user input. If user input is necessary, process it through provided parameters within the template to limit the impact on the template itself.

2) Input Validation: Validate user input to escape special character syntaxes entered by users.


At AIWAF, we have developed response patterns tailored to the syntax used in each template.

Server Side Template Injection 2
Pattern for detecting attack syntax utilizing arithmetic operations.

Server Side Template Injection 3
Pattern for detecting attacks exploiting vulnerabilities in jinja2 templates to insert Python-based malicious payloads.

Server Side Template Injection 4
Pattern for detecting attacks exploiting vulnerabilities in Mako templates to insert Python-based malicious payloads.

Server Side Template Injection 5
Pattern for detecting attacks exploiting vulnerabilities in Smarty templates to insert PHP-based malicious payloads.

Server Side Template Injection 6
Pattern for detecting attacks exploiting vulnerabilities in Twig templates to insert PHP-based malicious payloads.

  1. Conclusion
    SSTI vulnerabilities pose high risks in proportion to their accessibility, necessitating prompt responses due to their significant impact. Since updates are continually released, periodic checks and updates are essential.

AIWAF products have developed multiple patterns to address SSTI-related vulnerabilities and will promptly respond to any newly discovered vulnerabilities in the future.

  1. References
    https://www.igloo.co.kr/security-information
    https://hackingstudypad.tistory.com/150
    https://velog.io/@silver35/Web-Server-Side-Template-InjectionSSTI
Scroll Up