Server Side Template Injection - SSTI

User data concatenated into templates instead of passed as data.

Templates: strings

Detecting:

Fuzz for a potentially valid parameter:

${{<%[%'"}}%\

If this brings about an exception it's possible the server is vulnerable.

Contexts:

Plaintext:

http://vulnerable-website.com/?username=${7*7}

Vulnerable result: Hello, 49

The syntax varies by template engine.

Code:

Vulnerable code:

greeting = getQueryParameter('greeting') engine.render("Hello {{"+greeting+"}}", data)

Injection:

http://vulnerable-website.com/?greeting=data.username

Vulnerable result: Hello <name>

To test for this, it may be necessary to test for XSS first as they can look similar.

Inject HTML to test:

http://vulnerable-website.com/?greeting=data.username<tag>

If there's an error or a blank “Hello” with no username, test it again to break out of the html:

http://vulnerable-website.com/?greeting=data.username}}<tag>

Vulnerable result

Hello Name<tag>

NB: It's possible if it is returned blank then the wrong syntax was used, so could keep trying.

PreviousCommand InjectionNextSQL Injection

Last updated