Template Injection (client and server side)

Made from my notes when I studied the subject. I mostly used THM. There are also notes and resources found during practice at work. These notes mostly cover server side template injection but the resources have some link about client-side template injection

What is it?

Template injection refers to a vulnerability where an attacker can manipulate templates or template engines to execute malicious code. It can occur on both the client side and the server side.

Client-side template injection: In client-side template injection, the template rendering process occurs on the client's browser using JavaScript or similar technologies. The client's browser downloads the template code from the server and then interprets and renders it. If the template data is not properly validated or sanitized, an attacker can inject malicious code into the template, leading to its execution on the client's browser. This can result in unauthorized access, data theft, or other security risks for the user.
Server-side template injection: Server-side template injection involves rendering templates on the server side before sending the resulting HTML to the client's browser. The server uses a template engine (e.g., Jinja, Freemarker) to process templates and combine them with dynamic data. If the server fails to properly validate or sanitize the template or the input data, an attacker can inject malicious code into the template variables. When the server processes the template, it executes the injected code, potentially leading to server-side security breaches, data leaks, or other vulnerabilities.

The main difference between the two lies in where the template rendering occurs. Client-side template injection happens on the client's browser, while server-side template injection occurs on the server before sending the content to the client.

Detect Injection

This chars can be used one by one to check if it is vulnerable until we either get an error, or some characters start disappearing from the output. ${{<%[%'"}}%

Identify Template Engine

Source James Kettle

To follow the decision tree, start at the very left and include the variable in your request. Follow the arrow depending on the output:

Green arrow - The expression evaluated (i.e 42)
Red arrow - The expression is shown in the output (i.e ${7*7})

You can copy paste the expressions from here

${7*7}
{{7*7}}
a{*comment*}b
{{7*'7'}}
${"z".join("ab")}

When we detected the template engine we need to know how to:

Start a print statement
End a print statement
Start a block statement
End a block statement

We can look this up in the official documentation of the template we detected.

It is also essential to know which language is the template engine based on to choose which language we can use to exploit the injection. Once we know this we can lookup for ways to execute shell command in this language.