Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Server-side template injection

711 views

Published on

All about Server-side template injection.

Published in: Technology
  • Be the first to comment

Server-side template injection

  1. 1. SERVER-SIDE TEMPLATE INJECTION (SSTI) Presented by – Amit Dubey
  2. 2. Agenda – ■ Introduction to Template Engines ■ Serve-Side Template Injection (SSTI) ■ Impact ■ Mitigation ■ References ■ Case-Studies
  3. 3. Template Engines – ■ Generates dynamic web pages. ■ Separating business logic with presentation logic. ■ Reusability. ■ Uses.
  4. 4. Example – ■ PHP – Twig, Smarty, VlibTemplate. ■ Java – Velocity, WebMacros, Freemaker. ■ Python – Jinja2, Django, Mako. ■ JavaScript – Jade, Rage.
  5. 5. Example Code –
  6. 6. Template Injection - ■ User input is embedded in unsafe manner. ■ Confused by XSS. Marketing application with email greeting $output = $twig->render(“Dear, $_GET[‘name’]”, array("first_name" => $user.first_name) ); Name =Tester Name = {{7*7}} > Dear,Tester > Dear, 49 Name = {{self}} > Dear, Object of class __TwigTemplate_7ae62e582f8a35e5ea6cc639800ecf15b96c0d6f78db3538221c1145580ca4a5 could not be converted to string
  7. 7. ■ Detect – Plain Text Context - Can be confused with XSS - {var} {{var}} ${var} <%var%> [% var %] - Results in execution or error message. - a{{var}}b > Expect : ab or Error message - a{{7*7}}b > Expect : a49b smarty=Hello {user.name} > Hello user1
  8. 8. ■ Detect – Code Context - Results in blank results or error messages - Need to breakout the syntax - Results in execution or error message. - personal_greeting=user.name<tag> > Expect : Hello - personal_greeting=user.name}}<tag> > Expect : Hello user01<tag> personal_greeting=user.name > Hello user01
  9. 9. ■ Identify – - Identify which template engine in use. - {{7*’7’}} will result 49 in Twig and 7777777 in Jinja2 - Burp suite decision making tree to find SSTI
  10. 10. ■ Exploit – - READ : - Read the documentation. - EXPLORE : - Explore the environment - Brute-force the variables - ATTACK : - Firm idea of attack surface.
  11. 11. ■ Exploit Development – - Freemaker: One of most famous java template languages. The official website explains the dangers of allowing user-supplied templates: Ref : http://freemarker.org/docs/app_faq.html#faq_template_uploading_security One of the risk we found
  12. 12. ■ Exploit Development – “new” built-in offers a possibility for exploitation. - Are there any useful classes implementing TemplateModel? One of these class names stands out - Execute
  13. 13. ■ Exploit Development – Details confirm that function take input and executes. - Let's develop our payload –
  14. 14. ■ Automated Tool – - Tplmap : Tplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with several sandbox escape techniques to get access to the underlying operating system. - Uses : $ ./tplmap.py -u 'http://www.target.com/page?name=John’ - Link : https://github.com/epinna/tplmap - Burp Extension : https://github.com/epinna/tplmap/blob/master/burp_extension/README.md
  15. 15. Demonstration - ■ Application used : Xtreme Vulnerable Web Application (XVWA) ■ Back-End Server : Apache ■ Template Engine : Twig ■ Back-End PL : PHP
  16. 16. Impact - ■ Cross-site scripting ■ Information disclosure ■ Remote Code Execution
  17. 17. Mitigation - ■ Update Framework/libraries ■ Input Sanitization ■ Sandboxing
  18. 18. ■ Input Sanitization – - PHP - JAVA - ASP.NET str_replace( array( ''', '"', ',' , ';', '<', '>','{','}', ), '', $name); preg_replace('/[^a-zA-Z0-9_ -]/s','',$value); Text = text.replaceAll ("[^a-zA-Z0-9]", ""); Regex.Replace(Your String, @"[^0-9a-zA-Z:,]+", "")
  19. 19. Mitigation Demonstration - ■ Input Sanitization
  20. 20. References - ■ https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side- Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf ■ https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf ■ https://www.we45.com/blog/server-side-template-injection-a-crash-course- ■ https://www.youtube.com/watch?v=3cT0uE7Y87s ■ https://www.phpflow.com/php/php-remove-special-character-fromstring/
  21. 21. Case-Studies - ■ https://hackerone.com/reports/125980 ■ https://hackerone.com/reports/164224 ■ https://hackerone.com/reports/230232 ■ https://medium.com/@david.valles/gaining-shell-using-server-side-template-injection-ssti- 81e29bb8e0f9 ■ https://medium.com/bugbountywriteup/frapp%C3%A9-technologies-erpnext-server-side- template-injection-74e1c95ec872 ■ http://ha.cker.info/exploitation-of-server-side-template-injection-with-craft-cms-plguin- seomatic/
  22. 22. Thank You !

×