SSTI (Server-side template injection) to RCE

Aditya Chauhan
2 min readFeb 15, 2023

Server-side template injection (SSTI) is a vulnerability that arises when untrusted user input is included in a server-side template. If an attacker can control the input and inject malicious code, it can lead to remote code execution (RCE), which can be catastrophic for an application or system. In this blog, we will discuss how SSTI can be exploited to achieve RCE.

SSTI Overview

SSTI vulnerabilities occur when a server-side template engine receives user input, but fails to properly sanitize it. As a result, an attacker can craft a malicious payload that gets executed on the server, which can lead to arbitrary code execution.

To understand how SSTI works, let’s consider the following Python code that uses the popular template engine Jinja2:

from flask import Flask, request, render_template_string

app = Flask(__name__)

@app.route('/')
def index():
name = request.args.get('name')
template = '{{ "Hello, {}!" }}'.format(name)
return render_template_string(template)

if __name__ == '__main__':
app.run()

In this code, the application takes user input from a query parameter called name and uses it to render a template. However, since the user input is not sanitized, an attacker can inject malicious code into the name parameter.

Exploiting SSTI for RCE

Once an attacker is able to inject malicious code into the template, they can execute arbitrary commands on the server. For example, an attacker could modify the name parameter to contain a command injection payload:

{{config.__class__.__init__.__globals__['os'].popen('ls /').read()}}

In this example, the attacker is using Jinja2’s ability to access the global context to execute arbitrary Python code. Specifically, they are executing the ls / command and returning its output.

This is just one example of how an attacker can exploit SSTI to achieve RCE. There are many other methods that an attacker can use, depending on the template engine being used and the environment in which the application is running.

Preventing SSTI to RCE

To prevent SSTI vulnerabilities, it is important to sanitize all user input and validate that it adheres to expected formats. Additionally, it is important to configure your server and applications to use safe defaults and configurations to reduce the attack surface for potential exploitation.

It is also recommended to use a content security policy (CSP) to limit the execution of inline scripts and styles, as well as to use sandboxing techniques to prevent access to system resources.

Conclusion

SSTI vulnerabilities can be a serious security concern if left unaddressed. By understanding how attackers can exploit SSTI to achieve RCE, you can better protect your applications and systems. It is essential to keep your applications updated and secure to prevent such attacks. A proactive approach to security can prevent these vulnerabilities from becoming a security risk.

--

--

Aditya Chauhan

ISO 27001 LA | VAPT | Synack Red Teamer | HTB Dante | HTB RASTA | HTB Cybernetics | HTB Offshore | HTB APTLabs | Cyber Security Analyst | Security Researcher