Passion
  • What is this GitBook about ?
  • Privilege Escalation
    • Linux
    • Windows
  • Network Security
    • Port Scanning
    • DNS Enumeration
    • FTP Enumeration
    • SSH Enumeration
    • SMB Enumeration
    • SMTP Enumeration
    • POP3 Enumeration
  • Checklists
    • Active Directory Security
    • OS Command Injection
    • Buffer Overflow
    • Broken Access Control
    • Local File Inclusion
    • SSRF
    • XXE Attacks
    • SQL Injection
    • XSS
  • WebApp Security
    • Local File Inclusion
    • File Upload Attacks
      • IIS Server File Upload
      • Escaping Sandbox via File Upload
    • Broken Access Control
      • Vertical PrivEsc
      • Horizontal PrivEsc
      • Horizontal => Vertical
    • OS Command Injection
    • SSTI
      • Finding the Injection Point
      • Indentification
      • Exploitation
    • XXE Attacks
      • XXE to LFI
      • XXE to SSRF
      • XXE via File upload
      • XInclude Attacks
      • Blind XXE Attacks
        • Identification
        • Exploitation
        • Blind XXE to LFI
        • Blind XXE by defining Local DTD
    • SQL Injection
    • Server Side Request Forgery
      • Various Attack Methods
      • Exploiting Blind SSRF
    • OAuth Attacks
      • In Password-Based Logins
    • XSS
      • Reflected XSS
      • Stored XSS
      • DOM XSS
      • Blind XSS
      • Perfecting our Payload
      • Exploiting Blind XSS
  • WebApp Mitigations
    • SSTI
  • Docker Security
    • Configuration
    • Ngnix Deployment
  • ☁️Cloud Security
    • AWS
      • Cloud Breach S3
      • IAM PrivEsc - RollBack
      • IAM PrivEsc - Attachment
Powered by GitBook
On this page
  1. WebApp Security

SSTI

PRACTICE ! PRACTICE ! PRACTICE !

SSTI is a web vulnerability which allows us to take advantage of insecure implementation of Template Engine

What is Template Engine ?

A template engine allows us to create static template files which can be re-used in our application

Consider a page that stores information about a user - /profile/user

from flask import Flask, render_template_string 

app = Flask(__name__) 
@app.route("/profile/<user>") 

def profile_page(user): 
	template = f"<h1>Welcome to the profile of {user}!</h1>" 
	return render_template_string(template) 
app.run()

The @app.route defines the user endpoint, and we are defining a func called profile_page which takes one argument called user and then assigns the user name to the template variable and renders the template

Flask is the web framework, while Jinja2 is the template engine being used

So how is it Exploitable ?

The variable user (which is user input) is concatenated directly into the template, rather than passed in as data. This means whatever is supplied as user input will be interpreted by the engine

An insecure implementation by the developer leads to template injections, the dev must properly sanitize the user's input

References

PreviousOS Command InjectionNextFinding the Injection Point

Last updated 2 years ago

LogoAPI — Jinja Documentation (2.11.x)
Logo6. Built-in Types — Python v2.6.4 documentation
LogoPayloadsAllTheThings/Server Side Template Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub
LogoUber disclosed on HackerOne: uber.com may RCE by Flask Jinja2...HackerOne