Server-Side Template Injection: RCE for The Modern Web App

by James Kettle
Sept. 19, 2017 1 comment belen_caty Pen Testing & Audits injecion sanitizeinput webapplicaitiion xss

Simple inputs can conceal an {expansive} attack surface. Feature-rich web applications often embed user input in web templates in an attempt to offer flexible functionality and developer shortcuts, creating a vulnerability easily mistaken for XSS. In this presentation, I'll discuss techniques to recognize template injection, then show how to take template engines on a journey deeply orthogonal to their intended purpose and ultimately gain arbitrary code execution. I'll show this technique being applied to craft exploits that hijack four popular template engines, then demonstrate RCE zero-days on two corporate web applications. This presentation will also cover techniques for automated detection of template injection, and exploiting subtle, application-specific vulnerabilities that can arise in otherwise secure template systems.

Mitchell Rowton moderator 5 months, 1 week ago

Not properly sanitizing user input is probably the most common issue I I find in web applications.