Server Side Template Injection-Something Distinct!

How’s it going guys! My name is Sagar Sajeev and this is my writeup about one of my recent SSTI (Server Side Template Injection) finding.

Image Credit — Cobalt.io

According to Portswigger, Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side. A template engine enables you to use static template files in your application.

So basically, it’s a way to inject something(payload) into the template engine which in turn gets executed on server side. This can pretty much lead to RCE in some cases.

How did I find a SSTI bug?

1. There was a simple sign up/register account page on the target.com .
2. In the Name field, type in {{7*7}}
3. Fill the rest of the page accordingly. Do note that the payload must be entered only in the Name field .
4. It’s a usual and intended behaviour of web applications to greet a new user with a mail and ask them to verify the mail.
5. Here’s the main stuff, the mail had a subject like :

49, Welcome to target.com

Sample image for reference

So how did I got named as 49?

• This is because the payload, {{7*7}} was executed by the template engine and passed on to the backend server.
• Most of the time, a successful SSTI can be escalated to RCE. But we can’t generalise a particular payload as each payload will be unique to that case.
• {{system(‘whoami’)}} → This is one of the payload that can prove RCE. But the chance of this payload getting executed is quite low.

Here are a few more payloads for you to try out:

1. {{7*’7'}}
2. #{ 5* 8 }
3. ,@(5+5)
4. You can find more SSTI payloads online. But try to modify and tailor that payload on your own. This will increase the chance of it being executed.

• I reported this about a month ago and have not yet got any reply from company. This approach by companies is very tiresome to a Bug Bounty Hunter. Hope they will reply to my mail someday :)

I hope you have learned something new today. I’ve made three other writeups on different interesting bugs. They are available on my Medium Profile. Please do check them out as well. (https://medium.com/@sagarsajeev)

Timeline

Submitted : 03–07–2022

→No reply from the company ,as of 05–08–2022 ←

I do share tips about Bug Bounties and related stuff every now and then over at my Twitter and LinkedIn handle. So do follow me there.

• LinkedIn : https://www.linkedin.com/in/sagar-sajeev-663491208/
• Twitter : https://twitter.com/Sagar__Sajeev

If you’ve got any queries, feel free to message me. I will be more than happy to help.

Happy Hacking!