Server-Side Template Injection (SSTI) attacks are growing, and they pose serious threats to most organizations that use web apps that employ a templating engine to produce content. Common examples of which are WordPress, Joomla, and Drupal. Many organizations rely on these content generation and management systems for their online presence.
SSTI vulnerabilities are serious threats; they are rarely benign. Most vulnerabilities are eventually discovered and exploited by threat actors. The attackers can take advantage of the issue to execute malicious code on the victim’s server, which can lead to data theft and the possibility of being able to take over a server. There have also been instances when an attack through this vulnerability has led to more attacks on an organization's internal infrastructure.
Illustration: Freepik
Here’s a rundown of a few actual SSTI vulnerabilities discovered over the past years and the best possible methods to address them.
Sterjev emphasized that this vulnerability could have been avoided by not inspecting raw content in templates using string-based substitution. This creates an unnecessary opportunity for hackers to launch an SSTI attack. It should only be allowed if there is a compelling reason for it, like the availability of an important function. If this string-based substitution is allowed, it is advisable to conduct thorough tests and implement the necessary sanitation.
This issue is traced to the use of 'type' => 'inline_template' in the Language class on line 68. The vulnerability emerges because of the failure to sanitize the value of Language translation before it is sent to the Twig template. It only appears if the CKEditor module is enabled and the user saves the translations made.
This can also be resolved by switching to the use of “PlainTextOutput::renderFromHtml” on the result. Additionally, instead of allowing the standard direct usage in the string to prevail, the context argument should be used.
This vulnerability is regarded as obscure by some developers, but there is nothing to lose in addressing it. This is a server-side template injection vulnerability, and the possibility of enabling the execution of arbitrary code through it has not been ruled out.
Shopify’s Return Magic app is designed to automate the process of doing product returns. Shop owners can take advantage of this app to customize the messages sent to customers who go through the product return process. The vulnerability resides in the app’s workflow email templates, which appear to allow injection.
In June 2020, security researcher Aleksei Tiurin exposed this preprocessing feature as a potential SSTI threat. Tiurin pointed out that threat actors can gain the ability to execute arbitrary expressions if they manage to control, manipulate, or decide what the content of the preprocessed values will be. Tiurin describes this as a “double-evaluation vulnerability,” which appears to be quite challenging to detect through the standard black-box approach.
It is important to be mindful of the risks of server-side template injection. Organizations should consider adopting preventive security mechanisms together with the following best practices:
SSTI vulnerabilities are serious threats; they are rarely benign. Most vulnerabilities are eventually discovered and exploited by threat actors. The attackers can take advantage of the issue to execute malicious code on the victim’s server, which can lead to data theft and the possibility of being able to take over a server. There have also been instances when an attack through this vulnerability has led to more attacks on an organization's internal infrastructure.
Illustration: Freepik
Here’s a rundown of a few actual SSTI vulnerabilities discovered over the past years and the best possible methods to address them.
Apache Velocity SSTI vulnerability
One of the more recently discovered SSTI vulnerabilities involves Apache Velocity, a template engine based on the Java programming language. In March 2021, IT engineer Marjan Sterjev explained the vulnerability in a blog post, where he detailed the possible ways it can be exploited. He presented the different command lines that bring out the server's root directory, OS directory listing, and other information that is of interest to hackers.Sterjev emphasized that this vulnerability could have been avoided by not inspecting raw content in templates using string-based substitution. This creates an unnecessary opportunity for hackers to launch an SSTI attack. It should only be allowed if there is a compelling reason for it, like the availability of an important function. If this string-based substitution is allowed, it is advisable to conduct thorough tests and implement the necessary sanitation.
Drupal SSTI vulnerability
On January 5, 2023, Drupal received a report regarding the possibility of an SSTI vulnerability identified in the rendering of the CKEditor plugin's "Language" button. The issue is associated with Drupal core version 9.4.x-dev. A patch is already available to fix this security issue. However, it can also be rectified by upgrading to Drupal 10.This issue is traced to the use of 'type' => 'inline_template' in the Language class on line 68. The vulnerability emerges because of the failure to sanitize the value of Language translation before it is sent to the Twig template. It only appears if the CKEditor module is enabled and the user saves the translations made.
This can also be resolved by switching to the use of “PlainTextOutput::renderFromHtml” on the result. Additionally, instead of allowing the standard direct usage in the string to prevail, the context argument should be used.
This vulnerability is regarded as obscure by some developers, but there is nothing to lose in addressing it. This is a server-side template injection vulnerability, and the possibility of enabling the execution of arbitrary code through it has not been ruled out.
Shopify SSTI vulnerability
In April 2019, a participant in Shopify's HackerOne event reported an SSTI vulnerability, which was tagged as a "zero-day" at that time. It specifically targeted the JavaScript template library referred to as “handlebars.” This vulnerability made it possible for threat actors to execute code remotely in the Shopify Return Magic app. The malicious code can be used to stage a takeover of a server.Shopify’s Return Magic app is designed to automate the process of doing product returns. Shop owners can take advantage of this app to customize the messages sent to customers who go through the product return process. The vulnerability resides in the app’s workflow email templates, which appear to allow injection.
Thymeleaf SSTI issue
Noted for its natural templating engine, Thymeleaf is a server-side template engine for Java. It makes it possible to generate a template that looks and operates just like HTML. The problem is that Thymeleaf appears to come with a "dangerous" feature called "expression preprocessing." This feature preprocesses expressions that are enclosed by double underscores, then uses the result of the preprocessing as a component of a real expression to be evaluated later on.In June 2020, security researcher Aleksei Tiurin exposed this preprocessing feature as a potential SSTI threat. Tiurin pointed out that threat actors can gain the ability to execute arbitrary expressions if they manage to control, manipulate, or decide what the content of the preprocessed values will be. Tiurin describes this as a “double-evaluation vulnerability,” which appears to be quite challenging to detect through the standard black-box approach.
Taking the SSTI threat seriously
Fortunately, there have been no reports of major attacks exploiting the vulnerabilities listed above. Or maybe there have been actual SSTI attacks that resulted in serious consequences for the victims, but nobody was interested in making a big deal out of it. Falling victim to cybercrimes is not something to be proud of, after all.It is important to be mindful of the risks of server-side template injection. Organizations should consider adopting preventive security mechanisms together with the following best practices:
- Input sanitization - Templates should be configured to always check for disruptive or potentially anomalous elements in the inputs. An "allowlist" rule is recommended to make sure that inputs are limited to a specific range of characters that are ascertained to produce no anomalous behavior.
- 'Edit' access restriction - Templates should not be editable to virtually everyone. Access rules should be implemented and only administrators or developers should be allowed to impose changes.
- Sandboxing - This is a precautionary measure designed to ensure the safety and security of users. It is often regarded as a more secure approach, as compared to mere input sanitization.
- No-logic templates - Templates are considered logic-less if their code interpretation is designed to be uncoupled from visual representation. Logic-less templates are considered more secure and data-driven because they make controls compulsorily data-driven and integrated with application logic, thus making remote code execution unlikely.
- Using cybersecurity platforms - It is also possible to significantly minimize the threats of SSTI by using cybersecurity platforms that include runtime application self-protection (RASP), web application firewalls (WAF), API security, DDoS defense, advanced bot protection, attack analytics, and other advanced security functions.