Hello everyone, Wishing you and your family a Happy New Year and make your dreams come true and be happy.

Yeah, coming back to the article, today we are gonna learn about Server side template injection which is a vulnerability that could lead to achieving remote code execution sometimes and many others.

If you are searching for Account takeover labs that are free, then you can visit our website. We have beautiful Account takeover Labs in which you can gain good experience while completing the labs.

Account Takeover Labs Link:   https://bepractical.tech/account-takeover-labs/

Now, coming back to the article.

First of all, we are gonna learn about, What is Server side template injection.

What is Server side template injection?

Server-side template injection is a type of vulnerability that exists in web applications that could lead to arbitrary command injection like remote code injection, listing the directories and files, etc.

To say it more clearly, In web applications use something called Templates. Templates are known as the outlook of the Web page looks similar but that content will be different. In those web applications templates are used. And I think, every web application is using but with different technologies.

I hope you had got some idea, of what is server-side template injection.

Now, to take give you more information about it, we are going to do a lab which is related to Server Side Template Injection. Likewise, you will also understand, how we should find Server Side Template Injection Vulnerabilities.

I am going to use Port-Swigger Labs for testing purposes. And in the coming future, we are going to increase the number of labs on our Own Website to give you a better understanding experience and gain experience while reading the article.

Lab Solving

As I said, We are going to solve a basic Server side template injection lab, Here we go.

Now, This lab is vulnerable due to the unsafe construction of the ERB Template.

The Lab which I am going to solve link is : https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic

The steps to complete this lab are mentioned below:

  • Open your Burp suite and then open your favorite Browser and then connect using the proxy.
  • Now, Open the lab in the browser and click on “Access The Lab”
  • Once, the lab is opened. Check where you are able to see error messages. “This is out of stock” because we are in the lab of some products and it might show sometimes we are out of stock.
  • But in this lab case, we need to check for this error  “Unfortunately this product is out of stock”
  • So, try to click on each and every product. And you will get that.
  • Now, when you try to click on every product, by clicking on the first product, you can see the error which I mentioned in the previous steps.
  • Now, Capture that request and it may look like this.
Capturing the request using the burp suite
  •  In this lab the ERB Template is vulnerable, so check the documentation of ERB and check how the message is taken.
  • The message syntax is taken as like this <%= Some Expression %>. Now, we try to inject the basic payload (or) most used payload.
  • And the payload is converted into this message syntax which is: <%= 7*7 %>
  • And before placing it in the input field of the message parameter. Encode that payload because, as you can see the error in the request. It is in the encoded form. So encode the payload and then put it in the message parameter. Again capture the request and place it.
Inserting the basic payload and sending the request
  • After sending the request, now check the browser for any changes that happened in it.
Output of the payload
  • As you can see, before the value used to be, “Unfortunately this product is out of stock” but now we can see in the place of it we have 49.
  • So it means, it is likely vulnerable to Server side template injection, But we need to delete the morale.txt file from Carol’s home directory. It means the lab is still not solved.
  • Now, going further. We need to construct a payload through which we can go into Carol’s home directory and successfully delete the morale.txt file.
  • From the Ruby documentation, ERB is from ruby itself. Now we need to execute arbitrary operating system commands, so we use the system() method.
  • And the payload we constructed to delete the txt file is <%= system(“rm /home/carlos/morale.txt”) %>. Now we need to encode this payload and then capture the request again and then place the payload and wait for the output.
Sending the request with the payload which is required to solve the lab
  • Now, we had successfully sent the request and now open the browser. Look for the output.
Lastly, Lab Solved
  • You can see, “Congratulations, you solved the lab”. And we successfully solved the lab. When you do it for the first time, you will be able to “true” message in the place of “Internal Server Error”
  • I had done it twice, so it came that, there is “no such file or directory”.
  • Congratulations to you, that also successfully, solved the lab with me too. While solving yourself, try to refer to this article, so that it would so clear if you had any doubts.

I hope you had got the information, that we can delete the files, and execute commands using Server Side Template Injection. And how much damage it could cost to web applications or companies.

You can ask me, That you showed us how to complete the lab. But what is the impact of this vulnerability?

The impact of this vulnerability is mentioned below.

What would be the impact?

As I mentioned before, the impact could go beyond and damage the web application in some cases.

  • Arbitrary Commands can be executed
  • We can list the files in the directory of internal files.
  • We can see the username passwords which should not be seen.
  • Can see the internal sensitive files, passwords, etc.

And many more….

Then, what would be the mitigation for this kind of dangerous vulnerability.

Here you, go

Mitigation of this dangerous vulnerability?

First of all, we cannot restrict or can’t stop taking inputs from the user through those templates.

Here are a few things which can be used:

  1. Try to use logic-less template engines unless it is necessary.
  2. Another thing we can do is, Allow the user to execute code in a sand-boxed environment where potentially dangerous modules and functions had been removed altogether. Because Sandboxing UN-trusted code is much more difficult and difficult to bypass.
  3. Now, it’s time for arbitrary command execution. It is inevitable and we should apply our own sand-boxing by deploying your own template environment in a locked-down Docker container,

Lastly, I hope you had got an idea of what is Server side template injection is, how to find the vulnerability, what could the impact and what can be achieved using this vulnerability, and what mitigation should be taken to avoid from happening this vulnerability.

Thanks for reading our article, and if you have any doubts regarding the article please let us know in the comments if you need more information regarding any vulnerability.

Let us know through the comments section and we will definitely go through the comments and wish to complete the request from your side.

Thank you, everyone.

And

Once Again Wishing you a Happy New Year.