Understanding Server Side Template Injection (SSTI)
Server Side Template Injection (SSTI) is an important vulnerability to understand when it comes to web security testing and pentesting. In this article, I will explain the practical difference between plaintext context and code context in SSTI. I will also address common questions regarding SSTI and provide insights into its impact and exploitation.
Plaintext Context
Plaintext context refers to the situation where the input is directly inserted into a template. This means that the input is treated as plain text and not evaluated as code. For example, in pseudocode, the input might be inserted into a template like this: engine.render('Hello {{name}}')
. In plaintext context, it is possible to inject HTML tags or template expressions to validate the SSTI vulnerability.
Code Context
Code context, on the other hand, involves injecting the input into a template statement where it is evaluated as code. This allows for more control over the template and potential remote code execution. Breaking out of the template statement is necessary to gain control and inject additional code or tags. For example, in the provided example, the input personal_greeting=username}}<tag>
is injected into the template statement engine.render('Hello {{personal_greeting}}')
to produce the output Hello user01<tag>
.
Common Questions
- Why does
personal_greeting=username<tag>
come back as blank “Hello” in code context?
When the template engine looks up a non-existing value, it returns nothing/null, resulting in a blank “Hello” response. - Why is there a need to break out of the template statement in code context?
Breaking out of the template statement allows for injecting additional code or tags, giving the tester more control over the template and potential exploitation. - Wouldn’t a template engine throw an error in code context due to the extra
}}
?
The behavior of the template engine depends on its implementation. In some cases, the trailing}}
might be considered as text and not cause an error. - Why does it make a difference if the value of a GET parameter is inserted directly into a template vs being saved in a variable first?
The difference lies in the implementation of the template engine. It could be implementation specific and may affect how the input is processed and evaluated.
It is important to note that SSTI can have severe consequences, including remote code execution. Focusing on XSS as an outcome of successful exploitation may not fully capture the impact of this vulnerability. When conducting web security testing, it is advisable to refer to reliable and up-to-date resources, such as the OWASP Web Security Testing Guide, for comprehensive guidance.