CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • What is it?
  • Detect Injection
  • Identify Template Engine
  • Remediation
  • How to report
  • COMING SOON
  • Resources
  • Syntaxes
  • Courses
  • Labs
  • Real life examples
  1. Web Pentesting
  2. Vunerabilities and attacks

Template Injection (client and server side)

PreviousBypass captchaNextMFA bypass

Last updated 10 months ago

Made from my notes when I studied the subject. I mostly used . There are also notes and resources found during practice at work. These notes mostly cover server side template injection but the resources have some link about client-side template injection

What is it?

Template injection refers to a vulnerability where an attacker can manipulate templates or template engines to execute malicious code. It can occur on both the client side and the server side.

  • Client-side template injection: In client-side template injection, the template rendering process occurs on the client's browser using JavaScript or similar technologies. The client's browser downloads the template code from the server and then interprets and renders it. If the template data is not properly validated or sanitized, an attacker can inject malicious code into the template, leading to its execution on the client's browser. This can result in unauthorized access, data theft, or other security risks for the user.

  • Server-side template injection: Server-side template injection involves rendering templates on the server side before sending the resulting HTML to the client's browser. The server uses a template engine (e.g., Jinja, Freemarker) to process templates and combine them with dynamic data. If the server fails to properly validate or sanitize the template or the input data, an attacker can inject malicious code into the template variables. When the server processes the template, it executes the injected code, potentially leading to server-side security breaches, data leaks, or other vulnerabilities.

The main difference between the two lies in where the template rendering occurs. Client-side template injection happens on the client's browser, while server-side template injection occurs on the server before sending the content to the client.

Detect Injection

  • This chars can be used one by one to check if it is vulnerable until we either get an error, or some characters start disappearing from the output. ${{<%[%'"}}%

Identify Template Engine

To follow the decision tree, start at the very left and include the variable in your request. Follow the arrow depending on the output:

  • Green arrow - The expression evaluated (i.e 42)

  • Red arrow - The expression is shown in the output (i.e ${7*7})

You can copy paste the expressions from here

${7*7}
{{7*7}}
a{*comment*}b
{{7*'7'}}
${"z".join("ab")}

When we detected the template engine we need to know how to:

  • Start a print statement

  • End a print statement

  • Start a block statement

  • End a block statement

We can look this up in the official documentation of the template we detected.

It is also essential to know which language is the template engine based on to choose which language we can use to exploit the injection. Once we know this we can lookup for ways to execute shell command in this language.

Remediation

  • Use secure method

  • Sanitize inputs

How to report

COMING SOON

Resources

Syntaxes

Courses

Labs

Real life examples

Source James Kettle
OWASP Injection Prevention Cheat Sheet
Smarty
Mako
Jinja - Documentation
Jinja2
Twig
THM
Server-Side Template InjectionPortSwigger Research
Server-Side Template Injection - James Kettle
Logo
Template Injection in Action
Template injection in Action - Course with labs - Philippe Arteau - GoSecure
Understanding Server Side Template Injection | TryHackMe - Motasem Hamdan
Server Side Template Injection Vulnerability | TryHackMe SSTI - Motasem Hamdan
Client-side template injection
Issue Definitions: Client Side Template Injection - Portswigger
Logo
Server-side template injection
Issue Definitions: Server Side Template Injection - Portswigger
Logo
Client-side template injection | Web Security AcademyWebSecAcademy
XSS Context - Client-side Template Injection - Portswigger
Logo
How to Execute Shell Commands with PythonParametric Thoughts
How to Execute Shell Commands with Python by Nikolai Janakiev
Logo
PayloadsAllTheThings/Server Side Template Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub
Server Side Template Injection on Payload all the things
WSTG - v4.1 | OWASP Foundation
Testing for Server Side Template Injection - OWASP
Logo
TryHackMe | Cyber Security TrainingTryHackMe
ZTH: Obscure Web Vulns - Tryhackme
TryHackMe | SSTITryHackMe
Learn Server Side Template Injection - TryHackme
Identify
Coming soon
TryHackMe | TemplatesTryHackMe
Templates - SSTI room - Medium difficulty
Exploiting server-side template injection vulnerabilities | Web Security AcademyWebSecAcademy
Exploiting server-side template injection vulnerabilities Multiple labs on Portswigger
Logo
Logo
Logo
Authenticate
SSTI on vulnmachines
Uber disclosed on HackerOne: uber.com may RCE by Flask Jinja2...HackerOne
SSTI in uber.com - Hackerone report
Logo
Logo
Logo
Logo