Detections
Analytics

Server-Side Template Injection

high Web App Scanning Plugin ID 112614

Language:

Synopsis

Server-Side Template Injection

Description

Web applications often rely on template engines to manage the dynamic generation of the HTML pages presented to their users.

A Server-Side Template Injection (SSTI) vulnerability exists when an application embeds unsafe user-controlled inputs in its templates and then evaluates it.

By injecting a specific payload dependent on the template engine used by the application, an attacker can leverage this vulnerability to gain access to sensitive information or to achieve remote code execution.

Solution

Developers should avoid using user inputs in server templates to prevent malicious injections. If the application still requires this type of inputs, logic-less template engines should be preferred when possible to decrease the attack surface by removing the logic part of the code from the templates. Finally, another solution is to create sandboxed environments by leveraging language capabilities or docker isolated containers.

See Also

https://medium.com/@adrien_jeanneau/how-i-was-able-to-list-some-internal-information-from-paypal-bugbounty-ca8d217a397c

https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection

https://research.securitum.com/server-side-template-injection-on-the-example-of-pebble/

https://www.okiok.com/server-side-template-injection-from-detection-to-remote-shell/

Plugin Details

Severity: High

ID: 112614

Type: remote

Family: Injection

Published: 10/19/2020

Updated: 2/8/2024

Scan Template: api, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 4.7

CVSS v2

Risk Factor: High

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:P/A:P

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 8.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CVSS Score Source: Tenable

Reference Information

CWE: 1336

OWASP: 2010-A1, 2013-A1, 2017-A1, 2021-A3

WASC: Improper Input Handling

CAPEC: 10, 101, 108, 120, 13, 135, 14, 24, 250, 267, 273, 28, 3, 34, 42, 43, 45, 46, 47, 51, 52, 53, 6, 64, 67, 7, 71, 72, 76, 78, 79, 8, 80, 83, 84, 9

DISA STIG: APSC-DV-002560

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-SI-10

OWASP API: 2019-API8

OWASP ASVS: 4.0.2-5.2.5

PCI-DSS: 3.2-6.5.1