Link Search Menu Expand Document

Server-Side Template Injection in .NET

Vulnerable example

Razor is a parsing engine designed to embed server code into ASP.NET web pages. The following ASP.NET controller concatenates a user-provided string into a Razor template, introducing the Server-Side Template Injection vulnerability.

[HttpGet]
[Route("page")]
public ActionResult Index(string name)
{
    var razorTpl = $"Hello {name}!";
    ViewBag.RenderedTemplate = Razor.Parse(razorTpl);
    ViewBag.Template = razorTpl;
    return View();
}

The user-supplied name variable is concatenated to the template text, allowing an attacker to inject template code. The screenshot shows the attacker injecting 7*7 to demonstrate that the result 49 is actually computed.

$ curl -g 'http://localhost:5000/page?name=@(7*7)'
Hello 49!

Razor does not restrict the execution of code, which can be easily achieved by using the @{} syntax. For example, the following running system command adds malicious.sh into the temporary folder.

$ curl -g 'http://localhost:5000/page?name=@{ System.Diagnostics.Process.Start("touch /tmp/malicious.sh"); }'

Prevention

Template engine API mechanisms automatically enforce the separation between code and data, providing the API are called correctly, as shown in the snippets within the RazorEngine section.

RazorEngine

RazorEngine is a templating engine built on the Razor parsing engine. It allows the use of the Razor syntax to build dynamic templates. This example passes the name variable, using a dynamic model to be consumed within the template context in a safe manner.

using RazorEngine;
using RazorEngine.Templating;

// ...

[HttpGet]
[Route("page")]
public ActionResult Index(string name)
{
    var razorTpl = "Hello @Model.name!";
    var result = Engine.Razor.RunCompile(razorTpl, "templateKey", null, new { name = name });
    return result;
}

References

CWE - CWE-94: Improper Control of Generation of Code (‘Code Injection’) CWE - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) PortSwigger - Server Side Template Injection