SSTI
Introduction
What is Server Side Template Injection?
Server Side Template Injection (SSTI) is a web exploit which takes advantage of an insecure implementation of a template engine.
What is a template engine?
A template engine allows you to create static template files which can be re-used in your application.
What does that mean? Consider a page that stores information about a user, /profile/<user>. The code might look something like this in Python’s Flask:
1
2
3
4
5
6
7
8
9
10
from flask import Flask, render_template_string
app = Flask(__name__)
@app.route("/profile/<user>")
def profile_page(user):
template = f"<h1>Welcome to the profile of {user}!</h1>"
return render_template_string(template)
app.run()
This code creates a template string, and concatenates the user input into it. This way, the content can be loaded dynamically for each user, while keeping a consistent page format.
Note: Flask is the web framework, while Jinja2 is the template engine being used.
How is SSTI exploitable?
Consider the above code, specifically the template string. The variable user (which is user input) is concatenated directly into the template, rather than passed in as data. This means whatever is supplied as user input will be interpreted by the engine.
Note: The template engines themselves aren’t vulnerable, rather an insecure implementation by the developer.
What is the impact of SSTI?
As the name suggests, SSTI is a server side exploit, rather than client side such as cross site scripting (XSS).
This means that vulnerabilities are even more critical, because instead of an account on the website being hijacked (common use of XSS), the server instead gets hijacked.
The possibilities are endless, however the main goal is typically to gain remote code execution.