SSTI (Server-Side Template Injection)
Description
Server-Side Template Injection occurs when an attacker can inject arbitrary content into a template, which is then executed and rendered on the server. This can lead to a variety of attacks, such as remote code execution, information disclosure, and more. It's especially dangerous in environments where the template engine has functionalities that allow shell command execution or other powerful capabilities.
Remediation
To prevent SSTI:
- Always validate and sanitize user input rigorously.
- If possible, avoid passing user input directly to template engines.
- Make sure to use the latest versions of template engines which might have patches for known vulnerabilities.
- Restrict template engine's capabilities if possible, so that even if an injection occurs, the impact can be minimized.
REST Specific
Asp_net
To mitigate Server-Side Template Injection in ASP.NET, ensure that user input is strictly validated and sanitized before being passed to the template engine. Employ context-specific escaping and adhere to the principle of least privilege by restricting template engine permissions. Additionally, update to the latest version of the template engine and ASP.NET framework to benefit from security patches.
Ruby_on_rails
In Ruby on Rails, ensure that user input is sanitized before being passed to the template engine. Use Rails' built-in escaping mechanisms to prevent the injection of malicious content. Additionally, configure the template engine to disable potentially dangerous features and adhere to the principle of least privilege, granting minimal permissions necessary for templates to function.
Next_js
To mitigate Server-Side Template Injection in Next.js, ensure user input is properly sanitized and validated before being passed to template engines. Employ context-aware escaping and adhere to the principle of least privilege by restricting template engine permissions. Regularly update Next.js and its dependencies to incorporate security patches.
Laravel
In Laravel, always ensure that user input is sanitized before being passed to the template engine. Use Laravel's built-in escaping functions, such as '{{ }}' for output, and avoid using '{!! !!}' which does not escape content. Additionally, adhere to the principle of least privilege by restricting template engine permissions and capabilities.
Express_js
To mitigate Server-Side Template Injection in Express.js, ensure that user input is properly sanitized and validated before being passed to the template engine. Use context-aware escaping and adhere to the principle of least privilege by restricting template engine permissions. Additionally, avoid using eval() or allowing the execution of arbitrary code within templates. Keep the template engine and its dependencies up-to-date with the latest security patches.
Django
In Django, ensure that you are using the latest version of the framework, as it includes built-in protections against SSTI. Always escape user input using Django's template system, which by default escapes variables unless explicitly told not to. Avoid using the 'safe' filter or marking content as 'mark_safe' unless absolutely necessary and you're sure about the safety of the content. Additionally, never allow user input to control the names of template tags or filters.
Symfony
In Symfony, ensure that user input is never directly passed into the template engine. Use the 'escape' function to sanitize output, adhere to the principle of least privilege when configuring template permissions, and employ a Content Security Policy (CSP) to mitigate the risk of XSS attacks. Additionally, regularly update the Symfony framework and its dependencies to incorporate security patches.
Spring_boot
In Spring Boot applications, to prevent Server-Side Template Injection, ensure that user input is never directly passed into template engines. Always sanitize and validate all user inputs. Use context-aware escaping and adhere to the principle of least privilege when configuring template engine permissions. Additionally, keep all dependencies, including the template engine, up to date with the latest security patches.
Flask
To mitigate Server-Side Template Injection in Flask, ensure that user input is properly sanitized before being passed to the template engine. Use the Jinja2 sandboxed environment to restrict the template's capabilities, and avoid using functions like 'from_string' that compile templates from user inputs. Additionally, always keep the Jinja2 library up-to-date with the latest security patches.
Nuxt
To mitigate Server-Side Template Injection in Nuxt.js, ensure that user input is properly sanitized and validated before being passed to the template engine. Utilize built-in escaping mechanisms to prevent the injection of malicious code. Additionally, adhere to the principle of least privilege by restricting template engine permissions and avoid using dangerous functions that can execute system-level commands. Keep Nuxt.js and its dependencies up to date to benefit from the latest security patches.
Fastapi
To mitigate Server-Side Template Injection in FastAPI, ensure that user input is properly sanitized and validated before being passed to the template engine. Use built-in escaping mechanisms provided by the template engine, and avoid allowing users to control template logic or structure. Additionally, configure the template engine to disable or restrict dangerous functionalities that can execute arbitrary code. Regularly update FastAPI and its dependencies to incorporate security fixes.
Configuration
Identifier:
injection/ssti
Examples
Ignore this check
checks:
injection/ssti:
skip: true
Score
- Escape Severity: HIGH
Compliance
OWASP: API10:2023
pci: 6.5.1
gdpr: Article-32
soc2: CC1
psd2: Article-95
iso27001: A.14.2
nist: SP800-53
fedramp: AC-6
Classification
- CWE: 94
Score
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C
- CVSS_SCORE: 6.8