Interview Bank
  • Interview Bank
  • Web
    • Persistent Connection and Non Persistent
    • CDN
    • Code Review
    • JWT
      • JWT vs Session Based Authentication
      • JWT Challenge
      • JWE
      • JWS
    • Content Security Policy (CSP)
    • Same-origin Policy (SOP)
    • Cross-Origin Resource Sharing (CORS)
      • Exploiting CORS
    • HTTP Strict Transport Security (HSTS)
    • SQL Injection (SQLi)
    • Password Encryption in Login APIs
    • API Security
      • API Principles
    • Simple bypass PHP
    • Server-side Template Injection (SSTI)
    • Javascript Object and Inheritance
    • HTTP/2
    • Cookie vs Local vs session Storage
    • XML External Entity (XXE)
    • What happened when enter domain name in browser
    • Prototype Pollution - Part 1
    • Prototype Pollution - Part 2
    • Nginx vs Apache
  • OT Security
    • Securing Operational Technology: Understanding OT Security
  • Quantum Computing
    • Quantum Computing: Unveiling the Cryptographic Paradigm Shift
    • Quantum Obfuscation: Shielding Code in the Quantum Era
  • DevSecOps
    • Continuous Integration/Continuous Deployment Pipeline Security
    • Chaos Engineering Overview
      • Security Chaos Engineering
    • Mysql VS redis
    • Kubernetes (k8s)
    • How MySQL executes query
    • REDIS
    • Difference between cache and buffer
  • Windows
    • Pentesting Active Directory - Active Directory 101
    • Pentesting Active Directory - Kerberos (Part 1)
    • Pentesting Active Directory - Kerberos (Part 2)
    • AD vs Kerberos vs LDAP
    • Active Directory Certificate Services Part 1
    • Unconstrained Delegation
    • AS-REP Roasting
    • NTLM Relay via SMB
    • LLMRN
    • Windows lateral movement
    • Constrained Delegation
    • Resource-Based Constrained Delegation
  • UNIX
    • Setuid
  • Large Language Models (LLMs)
    • Tokens
    • LangChain
    • Integration and Security
  • Android
    • Keystore
  • Red team development
    • Secure C2 Infrastructure
    • P Invoke in c#
    • D Invoke
  • Blue Team
    • Indicators of Compromise
    • Methods to prevent Email domain spoofing
    • Windows Prefetching
  • CVE
    • XZ Outbreak CVE-2024-3094
    • Log4J Vulnerability (CVE-2021-44228)
    • SolarWinds Hack (CVE-2020-10148)
    • PHP CGI RCE (CVE-2024-4577)
    • Windows Recall
  • Software Architecture
    • Microservices
    • KVM
  • Docker
    • Overview
    • Daemon Socket
    • Tips to reduce docker size
  • Blockchain
    • Overview
    • Smart Contract
  • Business Acumen
    • Market Research Reports and Perception
    • Understanding Acquisitions
    • Cybersecurity as a Business Strategy
  • Cyber Teams
    • Introduction to Purple Teaming
  • Malware
    • Dynamic Sandbox Limitations
Powered by GitBook
On this page
  • What is a template?
  • So how does SSTI occur?
  • Impact of SSTI
  • How to exploit SSTI?
  • How to prevent SSTI?
  • Interview Questions
  • Author
  • Reference
  1. Web

Server-side Template Injection (SSTI)

An introduction to SSTI vulnerability

PreviousSimple bypass PHPNextJavascript Object and Inheritance

Last updated 9 months ago

SSTI is when an attacker can manipulate native template syntax to inject a malicious payload into a template, which causes code to be executed on the server side. Before we dive into SSTI, let's find out the use of a template engine.

What is a template?

Template engines are designed to generate web pages by combining a fixed static template with volatile data.

So how does SSTI occur?

SSTI occurs when user input is concatenated directly into a template instead of being parsed as data. This allows attackers to inject template directives to manipulate the template engine to control the web server! e.g. ({{os.system('whoami')}}).

Impact of SSTI

Since SSTI payloads are delivered and evaluated server-side, it makes this type of vulnerability very dangerous! While the types of attacks can vary based on the template engine in use and how the web application uses it, SSTI can potentially lead to full remote code execution but even if it can't, it allows attackers to potentially gain read access to sensitive data/arbitrary files on the server.

How to exploit SSTI?

Consider the code render('Hello ' + username) Imagine that you are able to input a username using a GET request. So you would enter something like this: http://greenhat.gitbook.io/?username=${7*7}.

If the resulting output is Hello 49, then you would know that mathematical operation is being evaluated by the template engine server-side. This is a simple example, irl, you probably need to test a few syntaxes to get it right unless you know the underlying template engine running in the web application.

Once you detect that a potential SSTI vulnerability exists and you know the template engine, you can try to find ways to start exploiting it!

How to prevent SSTI?

Ok that's all for today, I am tired.

Interview Questions

  • How does SSTI differ from other injection attacks like SQL Injection and Cross-Site Scripting (XSS)?

  • What are some best practices for preventing SSTI vulnerabilities in web applications?

Author

Reference

  • Portswigger - Server-side template injection

  • Hacktricks - SSTI (Server Side Template Injection)

For a start, if possible, do not allow users to modify or submit new templates. But this might depend on your business case and it might not be feasible for everyone. Another alternative is to use a "logic-less" template engine like Mustache until you require logic ahahaha. Separating logic from presentation can help to reduce your attack surface from the most dangerous template-based attacks. Another way is to sandbox your template environment in a locked-down docker container to prevent attackers from pivoting

Frost

😝
❄️
A basic SSTI vulnerability!
A great SSTI evalution decision tree from PortSwigger!