Thursday, March 29, 2018

OWASP TOP 10: SSTI

This time we'll talk a little about server-side template injection (SSTI) attacks, when they occur and what to do to mitigate the risk.


Overview

As any other type of injection, SSTI is on the top of the OWASP list threatening web applications in a daily basis.  SSTI is abused when directives are injected to a user input which is unsafely embedded to a template. The effect can be catastrophic, especially when remote code execution (RCE) is possible.

POC
In the following short video, we can see how a server-side template injection occurs in a Flask with Jinja template engine. The POC is made inside of a CTF challenge so only the flag is shown and no RCE is allowed. In real-life systems, other data may be exposed which would endanger the company's assets.

 

Mitigation
The risk of accepting template directives causing a server-side template injection attack can be mitigated by rendering templates within a sandbox environment, protect user input fields by preventing the creation of templates from them and checking the documentation of the template engine for specific patches/advise in how to harden that engine.


Sources:
https://nvisium.com/resources/blog/2015/12/07/injecting-flask.html
https://portswigger.net/kb/issues/00101080_server-side-template-injection 
http://flask.pocoo.org/docs/0.12/templating/
       

No comments:

Post a Comment

Your thoughts are a goldmine which flourishes within our ever-changing society. Please, post your ideas, constructive feedbacks and clarifications here: