The Nen-Book
  • Whoami
  • Write-ups
    • Intigriti 1337Up 2024
      • Intigriti 1337Up 2024-CTF OSINT Challenges
      • Intigriti 1337Up Live 2024-CTF Web Challenges
    • CyCTF Quals 2024
      • OSINT Challenges CyCTF Quals 2024
      • Old Friend OSINT Challenge CyCTF 2024 Quals Writeup
    • PicoCTF
      • PicoCTF 2024 Web Exploitation Challenges
      • PicoCTF 2024 General Skills Challenges
      • PicoCTF 2021 Web Exploitation Challenges Walkthrough
      • PicoCTF 2019 Web Exploitation Challenges
  • πŸ•ΈοΈWeb_AppSec πŸ•ΈοΈ
    • Web_Recon
    • ATO
    • Backend_Technology_Tips
    • XSS
    • SSRF
    • CSRF
    • XXE
    • SSTI
    • Insecure_Deserialization
    • Open_Redirects
    • Information_Disclosures
    • Rate_Limiting
    • Clickjacking
    • Broken Access Control & IDORS
    • Bash_Scripting
    • Authentication_Vulnerabilities
    • App_Logic_Errors
  • πŸ“ΊNetwork_Pentesting πŸ“Ί
    • Scanning & Enumeration
    • Active_Directory
      • AD_Overview_&_ Lab Build
      • AD_Initial_Attack_Vectors
      • AD_Post-Compromise_Enumeration
      • AD_Post-Compromise_Attacks
    • Buffer_Overflow_Attacks
    • Web_Applications
    • Privilege_Escalation
  • 🌩️Cloud_Security 🌩️
    • AWS Pentesting
  • 🀡APISec 🀡
    • API_Recon
    • Broken_Access_Control & Info_Leaks
  • πŸ”¬Code_Review πŸ”¬
    • Source_Code_Review_101
    • Code Review Tools
  • 🐝Bug_Bounty 🐝
    • Picking_A_BugBounty_Program
    • Writing_A_Good_Report
  • πŸ“‘Purple Teaming & MITRE ATT&CK πŸ“‘
    • Introducing the ATT&CK Framework
    • MITRE Engenuity
    • Threat-Informed Defense
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Web_AppSec πŸ•ΈοΈ

SSTI

PreviousXXENextInsecure_Deserialization

Last updated 4 months ago

How to Detect

  • fuzzing the template by injecting a sequence of special characters such as ${{<%[%'"}}%\ ->If an exception is raised, this indicates that the injected template syntax is potentially being interpreted by the server in some way

Plaintext context

  • It's about rendering your input server side into HTML or sort of form before generating the response like render('Hello ' + username)

  • It's like a simple XSS here, However, by setting mathematical operations as the value of the parameter, we can test whether this is also a potential entry point for a server-side template injection attack http://vulnerable-website.com/?username=${7*7}

Code context

  • the vulnerability is exposed by user input being placed within a template expression

  • first establish that the parameter doesn't contain a direct XSS vulnerability by injecting arbitrary HTML into the value: http://vulnerable-website.com/?greeting=data.username<tag> In the absence of XSS, this will usually either result in a blank entry in the output (just Hello with no username),

  • try and break out of the statement using common templating syntax and attempt to inject arbitrary HTML after it: http://vulnerable-website.com/?greeting=data.username}}<tag>

  • Try different syntax

Identify

  • submitting invalid syntax ex: <%=foobar%>``<%=foobar%>

  • same payload can sometimes return a successful response in more than one template language. For example, the payload {{7*'7'}} returns 49 in Twig and 7777777 in Jinja2

πŸ•ΈοΈ
  • How to Detect
  • Identify