SSTI and Filters

SSTI

Server Side Template Includes, are in interesting class of vulnerability.

Here an attacker is able to make use of the back-end templates native syntax to inject a malicious payload into the page.

Unlike XSS which runs on the local machine, SSTI gives us scope to run the code on the server itself. This can lead to all sorts of fun things like dropping a reverse shell on the target.

Our first topic for the week is to introduce SSTI, and see the types of attack we can do with it.

Filters and Sandbox escape.

To avoid issues with SSTI, many applications will filter the data before it is passed to the template. Sensible websites may also take the approach of running template code in a "Sandbox" environment. This is a limited environment, with stripped down functionality, where attackers code may have less impact.

We will also look at some common methods for restricting the code an attacker can run, and how to bypass them.