Server Side Template Injection
To start with the vulnerability, we need to know some background why this occurs in a web application. Web Application requirements list grow day by day. One of the requirement is dynamic data populate. Or one can build the web application using templates with less work. To combine both point in one as simple as possible would be that templates comes with predefined elements in it. It gives options to populate data dynamically from client side. It is commonly called as Template Engines.
Why it is used?
To generate content dynamically based on need from the end client. A classic example, mass mail campaign will come exactly addressing you. Ever wondered how it is done. The Template Engines which are available are developed for this purpose. These are static file which will replace values at runtime with actual values from web HTML page. Now, you would know the use of Template Engines.
What is Template Injection?
Now, let us jump into the topic Template Injection. Even though Template Engines comes with various uses. It also brings a serious issue if the resource from client is not handled well. It can happen if the developer missed to validate/sanitize the user supplied input allowing it to embed in the template.
Methodology for Template Injection
We will see a short on these because there are ‘n’ number of methods available in wild. I’m taking the one which was easy for my own understanding to explain in little here.
Detect:
We can detect this vulnerability is 2 different ways,
Plaintext Context:
Most templates support accepting plaintext where HTML snippet can be injected directly. Which leads to most of the injection based attacks.
Code Context:
User input will be supplied to the template as a variable name.
Lets’ look at the example using Twig template
Code Snippet
| $output = $twig > render ( ‘Dear’ . $_GET[‘custom_greeting’], array(“first_name” => $user.first_name)); |
Code output based on User supplied values
| User Value 1: Name= Adam > Dear, Adam User Value 2: Name= {{7*7}} > Dear, 49 |
We can see that template reacts to the user supplied input.
Identify:
There are lots of ways to identify this vulnerability in templates. Either with combination of user supplied values alphanumeric as shown in the above example.
Exploit:
Most devastating things this can lead to is Remote Code Execution. With the power of RCE, attacker can take down the entire application in his own hands. Since, there are lots of templates available. I’m sharing the github page where I found most of the templates codes for reference.
Link: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection
Prevention:
- Sanitize the user input. Don’t supply the user input without validating into templates.
- Use updated frameworks and libraries always to be risk free.
- Lots of templates comes with sandboxing option. Explore that part for more clarification.