Server-Side Template Injection (also referred to as SSTI) is a class of vulnerability related to an inappropriate usage of template engines and can be leveraged to potentially execute code on the system. SSTI attacks occur when instead of being passed in as data, user input is concatenated into a template. When an attacker embeds a malicious payload into a server-side executed template, this can result in the execution of remote code on the server.
Server side template engines are often used by web applications as a way of easily managing dynamic content in web pages and emails. They are particularly common in applications that offer rich functionality such as blogs, marketing applications, and content management systems. Safeguards in the form of sandboxes have been built by many template engines to counter this risk; however, attackers are often able to escape the template engine sandbox and access the underlying operating system.
SSTI vulnerabilities are usually scored with high severity given their propensity to end in full remote code execution. A malicious actor executing a successful SSTI attack could gain complete access to the application server by executing code in the template engine context and escaping the sandbox. This could lead to the complete compromise of the server, the application, and the underlying operating system.
- Ensure that users are not enabled to submit or modify new templates.
- Use the template engine API as intended, ensuring the separation of logic and presentation where possible by passing dynamic data as a separate context argument of the rendering function.
- Never mix variables and template strings.
Verify that the application protects against template injection attacks by ensuring that any user input being included is sanitized or sandboxed.