The risks of server side template injection

In the ever changing world of application development the list of web technologies continues to grow, this in itself is not a bad thing, however, “with new technologies comes new vulnerabilities”. In recent years more and more web applications have been using templating to create dynamic web applications.

Templating isn’t something which is restricted to just one language, whether you’re building with Python, PHP or even Go, the list of templating engines seems to be increasing by the day, but what exactly is a templating engine?

A templating engine takes static data, often stored in another file, and returns the contents. At runtime, any placeholder variables will be substituted for their values meaning many pages can be created with a single template. Let’s give an example, it would be impractical for a website administrator to create a page for every book in the world and so they would use a database.

The application would grab content such as the book title from the database and then provide this to the template to be rendered. The templating engine will then place the book name in the designated spot.

Depending on the language the application was built in and the templating engine in use, the tags used to determine code which will be interpreted by the templating engine will vary but here are some examples;

<%= ... %>  -  ERB
{{ ... }}  -  Jinja
#{ ... }   -  Pug
${ ... }   -  Mako

When the engine renders the page it will place any desired text where the corresponding variable is found, here’s a simple example.

<h1>{{ the_title }}</h1>

The example above is similar to what you be provided to the Jinja templating engine, once rendered this would look something like this.

<h1>The lord of the rings</h1>

On it’s own this sort of thing isn’t particularly harmful, the risk comes when the information which is displayed has been provided by the user. If the relevant checks haven’t been implemented then a user could inject harmful code into the application template which would execute on the server, hence the name.

Testing for server-side template injection

Testing for server-side template injection is actually a lot simpler than you might think, by performing a simple mathematical test within the ${ … } we are able to determine whether our code is being executed, one such example would be ${ 7*7 }. If successful, the page would show 49 within the title. It’s important to note, some placeholders are also recognised by front-end JavaScript libraries such as Angular, this would actually be a cross site scripting vulnerability.

Depending on the templating engine in use would depend on which placeholder is required, simply testing these within the web application search field would reveal the correct templating engine.

What can be achieved with server-side template injection

Due to the fact server-side template injection allows for code to be executed on the application back-end, this vulnerability has the potential to completely compromise the web server. In the example above, we are using the Mako templating engine which runs using Python. A simple line of code will allow us to read the full source code of the application in question.

Additionally, with code execution it would be fairly straight forward for an attacker to execute system commands to gain remote access to the application server.

Spread the love