Security is a way of life.

In this article, we will take a closer look at Server Side Template Injection. As always, let's first look at the terms and details we need to know in order to better understand the subject.

Topics to Know

1. MVC Architecture

MVC stands for Model-View-Controller, is an architectural pattern used in software engineering. The aim is to separate the business logic part of the written applications from the user interface and to ensure that the structures of the applications that serve different purposes can be developed and tested separately from each other.

For example, when a change needs to be made only in the appearance of the application, we will be able to work only with the view. In addition, our advantage is not only to arrange certain places, but also to make the parts needed in model and view structures can be reused in other projects.

Now let's examine the Model, view and controller parts separately.

1.1. Model

It represents the application's using data and here is the logic of data processing. Verification processes of the data are carried out here.

1.2. View

This part is the part of the application presented to the user. In other words, a user interacting with a web application is dealing with the View part, ie the interface.

1.3. Controller

In this section, operations between model and view are performed. The data resulting from the operations performed by the users on the view is transferred to the model. The data taken from the model is also displayed to the user through the view.

This coverage is explained with a different perspective in StackExchange. I wanted to quote this as a quote:

Consider your chess example. The model would of course include the game state, but it might also contain the logic that affects changes to the game state, such as determining whether a move is legal and deciding when the game is over. The view displays a chess board and pieces and sends messages when a piece moves, but it doesn't know anything about the meaning behind the pieces, how each piece moves, etc. The controller knows about both the model and the view as well as the overall flow of the program. When the user hits the 'new game' button, it's a controller that tells the model to create a game and uses the new game's state to set up the board. If the user makes a move, the controller relays the command to the model and, based on the response, allows the move or not.
Look at what you get by keeping model and view separate:
You can change the model or the view without changing the other. You may have to update the controller when you change either one, but in a way this is part of the advantage: the parts of the program that are most likely to change are concentrated in the controller.
Model and view can both be reused. For example, you could use the same chess board view with an RSS feed as a model to illustrate famous games. Or, you could use the same model and replace the view with a web-based interface.
It's easy to write tests for both model and view to ensure that they work the way they should.
Both model and view can often take advantage of standard parts: arrays, maps, sets, strings, and other data containers for the model; buttons, controls, text fields, image views, tables, and others for the view.

2. Template Engine

Template Engine are engines that are in the View layer of MVC architecture and process the data coming from the controller layer and transmit them to the user in HTML format.

When a request comes from the user, this request first reaches the controller layer. If an action is to be performed on the request, this request is sent to the model layer. The model layer also turns to the controller layer by doing the necessary actions. The controller, on the other hand, creates the page that the user will see by delivering the answer to the view layer. In this summary, the template engine is fully involved in the view layer and renders the incoming data using a template before it is presented to the user.

Examples of Template Engine:

• Twig and Smarty from PHP
• Freemaker, Velocity and WebMacros from Java
• Django, Jinja2 and Mako from Python
• Rage and Jade from Javascript

What is Server Side Template Injection?

Server Side Template Injection is a type of attack that occurs as a result of the Template Engines receiving unexpected input. XSS can be executed, Remote Code Execusion can be obtained.

The fact that an input we made as a user to detect Template Injection in the target system is combined with a variable by the server and processed on the template may indicate that there is a Template Injection there.

In order to do a Server Side Template Injection attack, we first check if we can run XSS on the target system. If we can run XSS, we can think of it as template injection.

Suppose we are running XSS, then we can try to run a simple math operation. If our math operation is running and the page is printed, we can say that there is Template injection there.

After detecting that there is template injection, the first step to be applied is to define the template engine. For this, we can try to make the other party make an error.

If we have identified the engine through the error messages, then we can try to read all the documents we can access. By obtaining extra information from the documents we will access, we can have more detailed information about the system and content, and we can update our attack tactic accordingly.

After that, according to the information we have learned, we can exploit the vulnerability and perform operations such as file reading/writing, LFI/RFI and authorization upgrades.

How Can We Mitigate?

  • It is recommended to render pre-prepared HTML templates instead of directly rendering the values received from the user.