SSTI

PRACTICE ! PRACTICE ! PRACTICE !

Now that we've exploited the application, let's see what was actually happening in the backend

# Raw code 
template = f"<h1> Welcome to the profile of {user}! </h1>" 

# Code after injecting my name
template = f"<h1> Welcome to the profile of Akash! </h1>" 

# Code after injecting this payload {{ 7 * 7 }} 
template = f"<h1> Welcome to the profile of 49! </h1>"

So how do we mitigate this now ?

Secure methods

Most template engines will have a feature that allows you to pass input in as data, rather that concatenating input into the template

In Jinja2, this can be done by using the second argument

# Insecure code 
template = f"<h1> Welcome to the profile of {user}! </h1>" 
return render_template_string(template)

# Secure code 
template = "<h1> Welcome to the profile of {{ user }}! </h1>" 
return render_template_string(template, user=user)

Sanitisation

User Input cannot be trusted and is very dangerous, every place in your application where a user is allowed to add custom content, make sure the input is sanitised !

This can be done by first planning what character set you want to allow, and adding these to a whitelist, basically implementing Regex

import re 

# Remove everything that isn't alphanumeric 
user = re.sub("^[A-Za-z0-9]", "", user) 

template = "<h1> Welcome to the profile of {{ user }}! </h1>" 
return render_template_string(template, user=user)

Remember to read the documentation of the template engine you are using