SSTI

PRACTICE ! PRACTICE ! PRACTICE !

SSTI is a web vulnerability which allows us to take advantage of insecure implementation of Template Engine

What is Template Engine ?

A template engine allows us to create static template files which can be re-used in our application

Consider a page that stores information about a user - /profile/user

from flask import Flask, render_template_string 

app = Flask(__name__) 
@app.route("/profile/<user>") 

def profile_page(user): 
	template = f"<h1>Welcome to the profile of {user}!</h1>" 
	return render_template_string(template) 
app.run()

The @app.route defines the user endpoint, and we are defining a func called profile_page which takes one argument called user and then assigns the user name to the template variable and renders the template

Flask is the web framework, while Jinja2 is the template engine being used

So how is it Exploitable ?

The variable user (which is user input) is concatenated directly into the template, rather than passed in as data. This means whatever is supplied as user input will be interpreted by the engine

An insecure implementation by the developer leads to template injections, the dev must properly sanitize the user's input

References

API — Jinja Documentation (2.11.x)

6. Built-in Types — Python v2.6.4 documentation

PayloadsAllTheThings/Server Side Template Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub

Uber disclosed on HackerOne: uber.com may RCE by Flask Jinja2...HackerOne

PreviousOS Command Injection NextFinding the Injection Point

Last updated 1 year ago