Server-Side Template Injection (SSTI) is an attack that allows an attacker to inject malicious input into a templating engine, leading to code execution on the server.
Template engines are often used in web applications to generate dynamic HTML responses. They allow us to embed variables within HTML templates, which get filled in with real values when the page is rendered. SSTI occurs when an attacker can control some or all of these template variables, potentially leading to code execution on the server.
Imagine a web application that allows users to send customized e-greeting cards. The message from one user to another might be:
Happy Birthday {{username}}!
where username is a variable taken from user input.
An attacker uses the payload {{4 * 4}} and, instead of seeing the input rendered as text, they see 16 on the e-greeting card. This indicates that the server is evaluating the input using a template engine. The attacker can now try to exploit this behavior further by using the templating syntax to make the server reveal more information or execute commands
Server-side template injection vulnerabilities arise when user input is concatenated into templates rather than being passed in as data.
The classic example is an email that greets each user by their name, such as the following extract from a Twig template:
$output = $twig->render("Dear {first_name},", array("first_name" => $user.first_name));
This is not vulnerable to server-side template injection because the user's first name is merely passed into the template as data.
<aside> ⚠️ However, as templates are simply strings, web developers sometimes directly concatenate user input into templates prior to rendering.
</aside>
Let's take a similar example to the one above, but this time, users are able to customize parts of the email before it is sent. For example, they might be able to choose the name that is used:
$output = $twig->render("Dear " . $_GET['name']);
In this example, instead of a static value being passed into the template, part of the template itself is being dynamically generated using the GET parameter name. As template syntax is evaluated server-side, this potentially allows an attacker to place a server-side template injection payload inside the name parameter as follows:
[<http://vulnerable-website.com/?name={{bad-stuff-here}>](<http://vulnerable-website.com/?name=%7B%7Bbad-stuff-here%7D>)}
The approach to detecting SSTI is similar to other injection attacks. We need to find points of input, fuzz, and then review the results. Below are the high level steps to achieve this.