New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Active Scanner for Server Side Template Injection #2332

Open
kingthorin opened this Issue Mar 16, 2016 · 10 comments

Comments

Projects
None yet
6 participants
@DarkPrince304

This comment has been minimized.

Show comment
Hide comment
@DarkPrince304

DarkPrince304 Mar 19, 2016

Collaborator

@kingthorin : Is Jinja2 the only template engine to be handled here or other engines are also be taken into consideration?

Collaborator

DarkPrince304 commented Mar 19, 2016

@kingthorin : Is Jinja2 the only template engine to be handled here or other engines are also be taken into consideration?

@kingthorin

This comment has been minimized.

Show comment
Hide comment
@kingthorin

kingthorin Mar 19, 2016

Member

No, coverage should be as broad as possible. As you can see from the blackhat presentation there are dozens of template systems impacted and likely others as well that are so far unknown.

Member

kingthorin commented Mar 19, 2016

No, coverage should be as broad as possible. As you can see from the blackhat presentation there are dozens of template systems impacted and likely others as well that are so far unknown.

@kingthorin

This comment has been minimized.

Show comment
Hide comment
@kingthorin

kingthorin Aug 16, 2016

Member

@gokulkrishna01 are you tackling this?

Member

kingthorin commented Aug 16, 2016

@gokulkrishna01 are you tackling this?

@KajanM

This comment has been minimized.

Show comment
Hide comment
@KajanM

KajanM Mar 14, 2018

Collaborator

@kingthorin
Hi, I am Kajan, a final year Computer Science and Engineering Undergraduate at University of Moratuwa, Sri Lanka.
I am new to open-source and web security.
I am applying for GSoC18 and would like to get started with this issue.
I have done the requirement studies and found the approach needed to be implemented is almost similar to Reflected-XSS active scan rule (TestCrossSiteScriptV2.java)
I am listing the steps, correct me if I am wrong.

  1. submit a safe value and analyze all locations where this value occurs in the response.
  2. submit generic payload at targeted locations and evaluate the response if the payload is executed by the template engine.
    (Initially, I am only focusing on plaintext context and functionality for code context will be added later.)
    generic payloads {
    Twig --> {{7*7}}
    Smarty --> {7*7}
    Freemarker --> ${7*7}
    jade --> #{7*7}
    Ruby --> [<%= 7 * 7 %>](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server Side Template injections)
    Java --> [${{7*7}}](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server Side Template injections)
    }
  3. bingo if 49 is found in the targeted contexts.

Is it enough to detect SSTI vulnerability or do the scan rule need to identify which template engine is used?

Collaborator

KajanM commented Mar 14, 2018

@kingthorin
Hi, I am Kajan, a final year Computer Science and Engineering Undergraduate at University of Moratuwa, Sri Lanka.
I am new to open-source and web security.
I am applying for GSoC18 and would like to get started with this issue.
I have done the requirement studies and found the approach needed to be implemented is almost similar to Reflected-XSS active scan rule (TestCrossSiteScriptV2.java)
I am listing the steps, correct me if I am wrong.

  1. submit a safe value and analyze all locations where this value occurs in the response.
  2. submit generic payload at targeted locations and evaluate the response if the payload is executed by the template engine.
    (Initially, I am only focusing on plaintext context and functionality for code context will be added later.)
    generic payloads {
    Twig --> {{7*7}}
    Smarty --> {7*7}
    Freemarker --> ${7*7}
    jade --> #{7*7}
    Ruby --> [<%= 7 * 7 %>](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server Side Template injections)
    Java --> [${{7*7}}](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server Side Template injections)
    }
  3. bingo if 49 is found in the targeted contexts.

Is it enough to detect SSTI vulnerability or do the scan rule need to identify which template engine is used?

@kingthorin

This comment has been minimized.

Show comment
Hide comment
@kingthorin

kingthorin Mar 14, 2018

Member

Seems like a good start to me. I'd suggest that the behavior be checked multiple times looking for the result in the same contexts (for example do 7x7, 8x8, 5x6 or something like that).

Member

kingthorin commented Mar 14, 2018

Seems like a good start to me. I'd suggest that the behavior be checked multiple times looking for the result in the same contexts (for example do 7x7, 8x8, 5x6 or something like that).

@thc202

This comment has been minimized.

Show comment
Hide comment
@thc202

thc202 Mar 14, 2018

Member

Actually this issue is already being worked on, we forgot to update it.

Member

thc202 commented Mar 14, 2018

Actually this issue is already being worked on, we forgot to update it.

@KajanM

This comment has been minimized.

Show comment
Hide comment
@KajanM

KajanM Mar 14, 2018

Collaborator

@thc202 then I will look into other issues.

Collaborator

KajanM commented Mar 14, 2018

@thc202 then I will look into other issues.

@thc202

This comment has been minimized.

Show comment
Hide comment
@thc202

thc202 Mar 14, 2018

Member

Thanks, and sorry for not update it sooner.

Member

thc202 commented Mar 14, 2018

Thanks, and sorry for not update it sooner.

@KajanM

This comment has been minimized.

Show comment
Hide comment
@KajanM

KajanM Mar 14, 2018

Collaborator

@thc202 that is okay, I learned so much by looking into it :)

Collaborator

KajanM commented Mar 14, 2018

@thc202 that is okay, I learned so much by looking into it :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment