Server-Side Template Injection
Overview of the Vulnerability
Server-Side Template Injection (SSTI) is a vulnerability within application templating engines where user input is improperly handled and is embedded into the template, possibly leading code being executed.
An attacker can use SSTI to execute code on the underlying system by manipulating values within the embedded template. When code is executed within the underlying system, it can allow an attacker to run permissioned commands under the exploited process, or exploit Cross-Site Scripting (XSS) to run code within the user's browser.
Business Impact
SSTI can lead to reputational damage for the business due to a loss in confidence and trust by users. If an attacker successfully executes code within the underlying system, it can result in data theft and indirect financial losses.
Steps to Reproduce
- Sign up and login to your account
- Use a browser to navigate to: email-templates {{URL}}
- put your payload in Edit Base template
{{ cycler.__init__.__globals__.os.popen('id').read() }} and you will se it will execute.
Payload:
{{ cycler.__init__.__globals__.os.popen('id').read() }}
Proof of Concept (PoC)
The screenshot(s) below demonstrates the SSTI:
References
rotil Reporter
Server-Side Template Injection
Overview of the Vulnerability
Server-Side Template Injection (SSTI) is a vulnerability within application templating engines where user input is improperly handled and is embedded into the template, possibly leading code being executed.
An attacker can use SSTI to execute code on the underlying system by manipulating values within the embedded template. When code is executed within the underlying system, it can allow an attacker to run permissioned commands under the exploited process, or exploit Cross-Site Scripting (XSS) to run code within the user's browser.
Business Impact
SSTI can lead to reputational damage for the business due to a loss in confidence and trust by users. If an attacker successfully executes code within the underlying system, it can result in data theft and indirect financial losses.
Steps to Reproduce
{{ cycler.__init__.__globals__.os.popen('id').read() }}and you will se it will execute.Payload:
{{ cycler.__init__.__globals__.os.popen('id').read() }}Proof of Concept (PoC)
The screenshot(s) below demonstrates the SSTI:
References