What is Server-Side Template Injection?

SSTs (Server Side Templates) offer an easy technique of handling the dynamic generation of HTML code. Though they can also become a target to SSTI (Server Side Template Injection).  

SSTs let developers pre-populate a webpage with custom user information straight on the server. Hence, it is usually faster to make all the requests inside a server rather than making extra roundtrips from browser to server. It is different from client-side templating, in which browsers generally load a template that affects the total end-user experience.

Feature-rich web apps usually embed the inputs from the user in web templates in order to provide flexible shortcuts and functionality. This makes a vulnerability easily mistaken for cross-site scripting.

Working of SST :
The most common method for web frameworks to dynamically create HTML is by using templates. It comprises both the static parts of the HTML output, as well as the syntax that describes how it will place dynamic content.

These template systems are not safe from suspicious template authors. For example, a website should not permit its users to supply their own templates, since a template author can execute cross-site scripting attacks and they can also obtain properties of these template variables that may comprise sensitive data.

Then these template engines process template files, which supports in populating dynamic information into web pages. The template engine generates the HTML output reply when an HTTP request comes in.

Some of the most commonly used server-side template engines are Jinja2 or Jinja, Freemaker, Mako, Velocity, Smarty, Tornado, Genshi, Twig, Mustache, etc.

Working of SSTI :
An SSTI occurs when a malicious user is permitted to use native template syntax to inject a malevolent payload into a template, which is then executed on the server-side.

Template engines are designed to create web pages by merging fixed templates with dynamic data. SSTI attacks can happen when a user inputs information and it is concatenated straight into the template, rather than passing it in the form data. It lets malicious users inject random template commands that can distort the template engine, usually, it allows them to take full control over the server.

For example,

Template = “UserName:” + Input
render(template)

• In the above example, the “Input” is a part of the template. Hence, a user can input either the username or some other parameter of a web app, like some arbitrary codes. Thus a user can input something like.

Username: {{9*9}}  
Username 81

• As can be seen above, the SST engine processes the input {{9*9}} and gives 81 as the output. This demonstrates that the web app is vulnerable.
• And if the web app is found to be vulnerable, an attacker can even enter some malicious code to gain full remote access. For example,

About:{{Malicious Code()}}

Detection of SSTI :

SSTIs can be detected by the plain text detection method or by the code context detection method.

• Plain text detection method –
  Plain text detection can be used to detect SSTIs, in this some of the commonly used template expressions can be used by the tester.

For example: {{8*5}}, ${2*7}, {{8/0}}, <%= 5/0 %>, ${foobar}, {{9*9}}, etc.  

• Code context detection –
  In this, a payload can be used to fetch an error response. For example, an HTTP GET parameter can be used to insert a variable in a template statement.

For example: Greet_user = username
Hello user_x

• If the payload server responds with just blank “Hello”. Then the tester can break out of the template statement and inject an HTML tag. For example,

Greet_user = username
Hello

• Now, injecting HTML tag.

Greet_user = username}}<tag>
Hello user_x <tag>

Preventions :
Preventions for server-side template injection can vary based on the template engine used. Though sandboxing and sanitization can be used to prevent this vulnerability.  

• Sandboxing –
  It is used to create an isolated test environment on a network that imitates end-user operating environments, in which a user can run, analyze, or observe code. It avoids threats from getting into the network and also helps in inspecting untrusted or untested code.
• Sanitization –
  Templates shouldn’t be generated from the user-controlled input. The user should pass the input to the template only by using template parameters. Sanitize the input before passing it to the templates by eliminating undesirable and unsafe characters before parsing the information. This reduces the vulnerabilities for any mischievous investigating of your templates.