Server-side templates create an accessible method for the dynamic generation of HTML code management. But they could also be susceptible to SSTI(server-side template injection). To fully comprehend these mechanics, we must understand what template engines and SSTI attacks are. This can also help execute arbitrary code on the server.
What are Template Engines and SSTI Attacks?
Template engines are created by including multiple specific templates with variable data to create web pages. Server-side template injection attacks can occur when user input is concatenated directly into a template without being sanitized against evil characters. As a result, attackers can inject arbitrary template directives into the template engine, allowing them to manipulate the template engine and, in some cases, gain complete control of the server.
Some of the Template engines are listed below :
PHP – Smarty, Twigs
Java – Velocity, Freemaker
Python – JINJA, Mako, Tornado
JavaScript – Jade, Rage
Ruby – Liquid
Jinja: A Python Based Template Engine
Jinja is a Python template engine written as a self-contained open source project to create HTML, XML, or other markup formats returned to the user via an HTTP response. It is also referred to as “Jinja2”.
So why Jinja?
Today Jinja is the most widely used Python-based template engine and is opted by configuration management tools Ansible and SaltStack and the static site generator Pelican to generate output files. Given its vast adaptation, we will have Jinja as a reference to understand how the SSTI attack works.
The Vulnerable Code Snippet
Here, a part of the Template is dynamically generated using the form. Because template syntax is directly processed at the server-side without any filtration, an attacker possibly can inject a malicious payload inside the ‘name’ argument where user input is being placed within the template expression.
Identifying The Vulnerability
As shown in the code snippet, the input we’ll provide will be rendered precisely by the template engine.
So, if we put a mathematical expression to identify the vulnerability, if it is being rendered by template engine or not.
Input value- {{7*7}} returned ‘Hello 49!’. So it is confirmed that the backend is using jinja2.
Python depends on specific modules like ‘sys,’ which includes other dependencies such as the ‘OS’ module; we will target the ‘OS’ module here for exploitation. However, the exploitation and getting shell would not be that easy here as Jinja does not support the import statement.
Our very first goal here is to identify the template engine used by the target application, for which the TPLMAP tool can be leveraged. With numerous sandbox escape strategies, the TPLMAP tool aids the exploitation of Code Injection and Server-Side Template Injection vulnerabilities to get access to the underlying operating system.
Exploiting The Vulnerability
So as explained above, the import statement does not work in the case of Jinja; hence we will use some parts of code that are accessible to us, often called Gadgets, to achieve remote code execution.
The below payload will execute the malicious code which is inside the ‘popen’ function:
The above payload is explained in the below fig:
The RCE is achieved as shown below:
Workaround and Remediation
- Templates should not be created using user-controlled input. To pass user input to the Template, use template parameters. Sanitize the data before processing it by removing any unwanted or potentially hazardous characters before putting it into the templates. This decreases the likelihood of your templates being maliciously explored.
- Malicious code execution is inescapable if permitting certain dangerous characters to render specific elements of a template is a business requirement. Then encapsulating the template environment in a docker container is almost certainly the safer option. With this option, you may leverage Docker security to establish a safe environment that prevents dangerous actions.
About Signzy
Signzy is a market-leading platform that is redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering totally customizable workflows. It gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.
Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru, and it has a strong presence in Mumbai, New York, and Dubai.
Visit www.signzy.com for more information about us.
You can reach out to our team at reachout@signzy.com
Written By:
Ankit Pandey
Ankit is a cyber geek currently working in the information security team at Signzy. Ankit holds eWPTX, eCPPTv2 & CEH certifications. Ankit is also an active member of Synack Red Team actively hacking and securing companies globally.
