Technical Analysis of "Explotación y prevención de SSTI" (Server-Side Template Injection)

Overview:
This presentation by Artssec provides a comprehensive overview of Server-Side Template Injection (SSTI), detailing its exploitation and prevention methods. SSTI occurs when user input is directly embedded into a server-side template, allowing attackers to execute arbitrary code on the server.

Key Technical Details:

Understanding SSTI:

  1. Template Engines:
  2. Template engines are used to dynamically generate HTML or other text output.

  3. Common engines include Jinja2 (Python), Twig (PHP), and Freemarker (Java).

  4. Vulnerability Mechanism:

  5. SSTI arises when user input is concatenated directly into the template without proper sanitization or escaping.
  6. Example: {{ user_input }} in a Jinja2 template.

Exploitation Techniques:

  1. Basic Payloads:
  2. Injection can be simple, such as {{ 7*7 }} which outputs 49 if the engine evaluates it directly.

  3. Testing involves injecting non-malicious payloads that demonstrate execution, such as {{%20}} in Jinja2.

  4. Advanced Payloads:

  5. Exploitation often involves accessing built-in methods or sensitive variables.
  6. In Jinja2, accessing config or self.__globals__.__builtins__.eval can lead to arbitrary code execution.

Example payload in Jinja2: jinja {{ config.items() }}

  1. Escalating the Attack:
  2. Attackers may use the template engine to read server files, execute commands, or pivot to further systems.

Python exploitation via os module: jinja {{ ''.__class__.mro()[1].__subclasses__()[407]("cat /etc/passwd", shell=True, stdout=-1).communicate() }}

Real-World Examples:

  1. Case Studies:

  2. The presentation references real-world cases where SSTI led to significant breaches, demonstrating the impact of these vulnerabilities.

  3. Common Platforms:

  4. Applications in various programming languages are at risk, especially those using template engines with improper input handling.

Prevention and Mitigation:

  1. Input Sanitization:
  2. Ensure user inputs are properly sanitized before being included in templates.

  3. Utilize templating functions that automatically escape user input.

  4. Context-Aware Escaping:

  5. Implement context-aware escaping, where the nature of the input context determines the escaping strategy.

  6. Example for HTML context: converting < to <.

  7. Least Privilege:

  8. Follow the principle of least privilege for the processes that handle templates.

  9. Restrict filesystem access and execution rights for the template engine process.

  10. Security Measures:

  11. Use static analysis tools to detect potential SSTI vulnerabilities during development.
  12. Implement Content Security Policy (CSP) to reduce the impact of a successful injection.

Detection:

  1. Automated Testing:
  2. Use automated security scanners to detect SSTI vulnerabilities during the development cycle.
  3. Manual Testing:
  4. Penetration testers should craft and inject specific payloads to identify injection points.
  5. Monitoring:
  6. Implement logging and monitoring to detect exploitation attempts against the template engine.

Conclusion:

The presentation effectively outlines the high risk associated with SSTI vulnerabilities and underscores the importance of robust input handling and sanitization practices. By illustrating both basic and advanced exploitation techniques, it provides a clear roadmap for security professionals to understand the mechanics of SSTI and implement effective prevention and mitigation strategies.

Additional Resources: - For further reading and advanced detection tools, refer to online repositories and security forums specializing in web application security and template engine exploitation techniques.

Source:

For complete details, visit the original slides here.