Passion
  • What is this GitBook about ?
  • Privilege Escalation
    • Linux
    • Windows
  • Network Security
    • Port Scanning
    • DNS Enumeration
    • FTP Enumeration
    • SSH Enumeration
    • SMB Enumeration
    • SMTP Enumeration
    • POP3 Enumeration
  • Checklists
    • Active Directory Security
    • OS Command Injection
    • Buffer Overflow
    • Broken Access Control
    • Local File Inclusion
    • SSRF
    • XXE Attacks
    • SQL Injection
    • XSS
  • WebApp Security
    • Local File Inclusion
    • File Upload Attacks
      • IIS Server File Upload
      • Escaping Sandbox via File Upload
    • Broken Access Control
      • Vertical PrivEsc
      • Horizontal PrivEsc
      • Horizontal => Vertical
    • OS Command Injection
    • SSTI
      • Finding the Injection Point
      • Indentification
      • Exploitation
    • XXE Attacks
      • XXE to LFI
      • XXE to SSRF
      • XXE via File upload
      • XInclude Attacks
      • Blind XXE Attacks
        • Identification
        • Exploitation
        • Blind XXE to LFI
        • Blind XXE by defining Local DTD
    • SQL Injection
    • Server Side Request Forgery
      • Various Attack Methods
      • Exploiting Blind SSRF
    • OAuth Attacks
      • In Password-Based Logins
    • XSS
      • Reflected XSS
      • Stored XSS
      • DOM XSS
      • Blind XSS
      • Perfecting our Payload
      • Exploiting Blind XSS
  • WebApp Mitigations
    • SSTI
  • Docker Security
    • Configuration
    • Ngnix Deployment
  • ☁️Cloud Security
    • AWS
      • Cloud Breach S3
      • IAM PrivEsc - RollBack
      • IAM PrivEsc - Attachment
Powered by GitBook
On this page
  • Secure methods
  • Sanitisation
  1. WebApp Mitigations

SSTI

PRACTICE ! PRACTICE ! PRACTICE !

Now that we've exploited the application, let's see what was actually happening in the backend

# Raw code 
template = f"<h1> Welcome to the profile of {user}! </h1>" 

# Code after injecting my name
template = f"<h1> Welcome to the profile of Akash! </h1>" 

# Code after injecting this payload {{ 7 * 7 }} 
template = f"<h1> Welcome to the profile of 49! </h1>"

So how do we mitigate this now ?

Secure methods

Most template engines will have a feature that allows you to pass input in as data, rather that concatenating input into the template

In Jinja2, this can be done by using the second argument

# Insecure code 
template = f"<h1> Welcome to the profile of {user}! </h1>" 
return render_template_string(template)

# Secure code 
template = "<h1> Welcome to the profile of {{ user }}! </h1>" 
return render_template_string(template, user=user)

Sanitisation

User Input cannot be trusted and is very dangerous, every place in your application where a user is allowed to add custom content, make sure the input is sanitised !

This can be done by first planning what character set you want to allow, and adding these to a whitelist, basically implementing Regex

import re 

# Remove everything that isn't alphanumeric 
user = re.sub("^[A-Za-z0-9]", "", user) 

template = "<h1> Welcome to the profile of {{ user }}! </h1>" 
return render_template_string(template, user=user)

Remember to read the documentation of the template engine you are using

PreviousExploiting Blind XSSNextConfiguration

Last updated 2 years ago