Server-Side Template Injection

high Web Application Scanning Plugin ID 112614
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

Server-Side Template Injection

Description

Web applications often rely on template engines to manage the dynamic generation of the HTML pages presented to their users.

A Server-Side Template Injection (SSTI) vulnerability exists when an application embeds unsafe user-controlled inputs in its templates and then evaluates it.

By injecting a specific payload dependent on the template engine used by the application, an attacker can leverage this vulnerability to gain access to sensitive information or to achieve remote code execution.

Solution

Developers should avoid using user inputs in server templates to prevent malicious injections. If the application still requires this type of inputs, logic-less template engines should be preferred when possible to decrease the attack surface by removing the logic part of the code from the templates. Finally, another solution is to create sandboxed environments by leveraging language capabilities or docker isolated containers.

See Also

https://research.securitum.com/server-side-template-injection-on-the-example-of-pebble/

https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection

https://www.okiok.com/server-side-template-injection-from-detection-to-remote-shell/

https://medium.com/@adrien_jeanneau/how-i-was-able-to-list-some-internal-information-from-paypal-bugbounty-ca8d217a397c

Plugin Details

Severity: High

ID: 112614

Type: remote

Family: Injection

Published: 10/19/2020

Updated: 11/26/2021

Scan Template: api, scan, pci

Risk Information

CVSS Score Source: Tenable

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Reference Information

CWE: 74

WASC: Improper Input Handling

HIPAA: 164.306(a)(1), 164.306(a)(2)

CAPEC: 10, 101, 108, 120, 13, 135, 14, 24, 250, 267, 273, 28, 3, 34, 42, 43, 45, 46, 47, 51, 52, 53, 6, 64, 67, 7, 71, 72, 76, 78, 79, 8, 80, 83, 84, 9

DISA STIG: APSC-DV-002560

OWASP: 2010-A1, 2013-A1, 2017-A1, 2021-A3

OWASP API: 2019-API8

OWASP ASVS: 4.0.2-5.2.5

PCI-DSS: 3.2-6.5.1

ISO: 27001-A.14.2.5

NIST: sp800_53-SI-10