Server Side Template Injection


Hello everyone,

we are gonna learn about Server side template injection which is a vulnerability which could leads to achieve remote code execution sometimes and many other.

What is Server side template injection.

Server side template injection is a type of vulnerability which exists in web applications that could leads to arbitrary command injection like remote code injection, listing the directories and files, and etc.

To say it more clearly, In web applications they use something called Templates. Templates are known as, the outlook of the Web-page looks similar but that content will be different. In those web applications templates are used. And I think, every web application is using but with different technologies.

I hope you had got some idea, what is server side template injection.

Now, to take give you more information about it, we are going to do a lab which is related to Server Side Template Injection. Likewise you will also understand, how we should find Server Side Template Injection Vulnerabilities.

I am going to use Port-Swigger Labs for testing purpose. And in coming future we are going to increase the more labs in our Own Website to give you better understanding experience and gain experience while reading the article.

Lab Solving

As I said, We are going to solve a basic Server side template injection lab, Here we go.

Now, This lab is vulnerable due to unsafe construction of ERB Template.

The Lab which I am going to solve link is :

Steps to complete this lab are mentioned below:

  • Open your Burp suite and then open your favourite Browser and then connect using proxy.
  • Now, Open the lab in the browser and click on the  “Access The Lab”
  • Once, the lab is opened. Check where you are able to see error messages like. “This is out of stock” because we are in the lab of some products and it might show sometimes we are out of stock.
  • But in this lab case, we need to check for this error  “Unfortunately this product is out of stock”
  • So, try to click on each and every product. And you will get that.
  • Now, when you try to click on every product, by clicking on the first product, you can see the error which I had mentioned in the previous steps.
  • Now, Capture that request and it may look like this.
  •  In this lab the ERB Template is vulnerable, so check the documentation of ERB and check how the message is taken.
  • The message syntax is taken as like this <%= Some Expression %>  . Now, we try to inject the basic payload (or) most used payload.
  • And the payload is converted into this message syntax which is : <%= 7*7 %>
  • And before place it in the input field of message parameter. Encode that payload because, as you can see the error in the request. It is in the encoded form. So encode the payload and then put it in the message parameter. Again capture the request and place it.
  • After sending the request, now check the browser for any changes happened in it.
  • As you can see, before the value used to be, “Unfortunately this product is out of stock” but now we can see in the place of it we have 49.
  • So it means, it is likely vulnerable to Server side template injection, But we need to delete the morale.txt file from Carol’s home directory. It means the lab is still not solved.
  • Now, going further. We need to construct a payload through which we can go into the Carol’s home directory and successfully delete the morale.txt file.
  • From the Ruby documentation, ERB is from ruby itself. Now we need to execute arbitrary operating system command, so we use system() method.
  • And the payload we constructed to delete the txt file is <%= system(“rm /home/carlos/morale.txt”) %>  . Now we need to encode this payload and then capture the request again and then placing the payload and wait for the output.
  • Now, we had successfully sent the request and now open the browser. Look for the output.
  • You can see, that “Congratulation, you solved the lab”. And we had successfully solved the lab. When you do it for the first time, you will be able to “true” message in the place of “Internal Server Error”
  • I had done it twice, so it came that, there is “no such file or directory”.
  • Congratulations to you, that you also had successfully, solved the lab with me too. While solving yourself, try to refer this article, so that it would so clear if you had any doubts.

I hope you had got information, that we can do delete the files, execute commands using Server Side Template Injection. And how much damage it could costs for the web applications or the companies.

You can ask me, That you had showed us how to complete the lab. But what is the impact of this vulnerability.

The impact for this vulnerability is mentioned below.

What would be the impact?

As I mentioned before, the impact could go beyond and damage the web application in some cases.

  • Arbitrary Commands can be executed
  • We can list the files in the directory of internal files.
  • We can see the username passwords which should not be seen.
  • Can see the internal sensitive files, passwords, etc.

And many more….

Then, what would be the mitigation for this kind of dangerous vulnerability.

Here you, go

Mitigation of this dangerous vulnerability?

First of all, we cannot restrict or can’t stop taking inputs from the user through those templates.

Here are some few things which can be used:

  1. Try to use logic less template engine’s unless, it is necessary.
  2. Another thing we can do is, Allow the user to execute code in sand-boxed environment where potentially dangerous modules and functions had been removed altogether. Because Sand-boxing UN-trusted code is much difficult and difficult to bypass.
  3. Now, it’s time for arbitrary command execution. It is inevitable and we should apply our own sand-boxing by deploying your own template environment in a locked-down Docker container,

Lastly, I hope you had got an idea of what is Server side template injection, and how to find the vulnerability, and what could the impact and what can be achieved using this vulnerability and what mitigation should be taken to avoid from happening this vulnerability.

Thanks for reading our article, and if you have any doubts regarding the article please let us know in the comments and if you need more information regarding any vulnerability.

Let us know through the comments section and we will definitely go through the comments and wish to complete the request from your side.

Thank you.