Skip to main content

SSTI (Server-Side Template Injection)

Description

Server-Side Template Injection occurs when an attacker can inject arbitrary content into a template, which is then executed and rendered on the server. This can lead to a variety of attacks, such as remote code execution, information disclosure, and more. It's especially dangerous in environments where the template engine has functionalities that allow shell command execution or other powerful capabilities.

Remediation

To prevent SSTI:

  1. Always validate and sanitize user input rigorously.
  2. If possible, avoid passing user input directly to template engines.
  3. Make sure to use the latest versions of template engines which might have patches for known vulnerabilities.
  4. Restrict template engine's capabilities if possible, so that even if an injection occurs, the impact can be minimized.

REST Specific

Asp_net

To mitigate Server-Side Template Injection in ASP.NET, ensure that user input is strictly validated and sanitized before being passed to the template engine. Employ context-specific escaping and adhere to the principle of least privilege by restricting template engine permissions. Additionally, update to the latest version of the template engine and ASP.NET framework to benefit from security patches.

Ruby_on_rails

In Ruby on Rails, ensure that user input is sanitized before being passed to the template engine. Use Rails' built-in escaping mechanisms to prevent the injection of malicious content. Additionally, configure the template engine to disable potentially dangerous features and adhere to the principle of least privilege, granting minimal permissions necessary for templates to function.

Next_js

To mitigate Server-Side Template Injection in Next.js, ensure user input is properly sanitized and validated before being passed to template engines. Employ context-aware escaping and adhere to the principle of least privilege by restricting template engine permissions. Regularly update Next.js and its dependencies to incorporate security patches.

Laravel

In Laravel, always ensure that user input is sanitized before being passed to the template engine. Use Laravel's built-in escaping functions, such as '{{ }}' for output, and avoid using '{!! !!}' which does not escape content. Additionally, adhere to the principle of least privilege by restricting template engine permissions and capabilities.

Express_js

To mitigate Server-Side Template Injection in Express.js, ensure that user input is properly sanitized and validated before being passed to the template engine. Use context-aware escaping and adhere to the principle of least privilege by restricting template engine permissions. Additionally, avoid using eval() or allowing the execution of arbitrary code within templates. Keep the template engine and its dependencies up-to-date with the latest security patches.

Django

In Django, ensure that you are using the latest version of the framework, as it includes built-in protections against SSTI. Always escape user input using Django's template system, which by default escapes variables unless explicitly told not to. Avoid using the 'safe' filter or marking content as 'mark_safe' unless absolutely necessary and you're sure about the safety of the content. Additionally, never allow user input to control the names of template tags or filters.

Symfony

In Symfony, ensure that user input is never directly passed into the template engine. Use the 'escape' function to sanitize output, adhere to the principle of least privilege when configuring template permissions, and employ a Content Security Policy (CSP) to mitigate the risk of XSS attacks. Additionally, regularly update the Symfony framework and its dependencies to incorporate security patches.

Spring_boot

In Spring Boot applications, to prevent Server-Side Template Injection, ensure that user input is never directly passed into template engines. Always sanitize and validate all user inputs. Use context-aware escaping and adhere to the principle of least privilege when configuring template engine permissions. Additionally, keep all dependencies, including the template engine, up to date with the latest security patches.

Flask

To mitigate Server-Side Template Injection in Flask, ensure that user input is properly sanitized before being passed to the template engine. Use the Jinja2 sandboxed environment to restrict the template's capabilities, and avoid using functions like 'from_string' that compile templates from user inputs. Additionally, always keep the Jinja2 library up-to-date with the latest security patches.

Nuxt

To mitigate Server-Side Template Injection in Nuxt.js, ensure that user input is properly sanitized and validated before being passed to the template engine. Utilize built-in escaping mechanisms to prevent the injection of malicious code. Additionally, adhere to the principle of least privilege by restricting template engine permissions and avoid using dangerous functions that can execute system-level commands. Keep Nuxt.js and its dependencies up to date to benefit from the latest security patches.

Fastapi

To mitigate Server-Side Template Injection in FastAPI, ensure that user input is properly sanitized and validated before being passed to the template engine. Use built-in escaping mechanisms provided by the template engine, and avoid allowing users to control template logic or structure. Additionally, configure the template engine to disable or restrict dangerous functionalities that can execute arbitrary code. Regularly update FastAPI and its dependencies to incorporate security fixes.

Configuration

Identifier: injection/ssti

Examples

Ignore this check

checks:
injection/ssti:
skip: true

Score

  • Escape Severity: HIGH

Compliance

  • OWASP: API10:2023

  • pci: 6.5.1

  • gdpr: Article-32

  • soc2: CC1

  • psd2: Article-95

  • iso27001: A.14.2

  • nist: SP800-53

  • fedramp: AC-6

Classification

  • CWE: 94

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C
  • CVSS_SCORE: 6.8

References