Input Validation / Server-Side Template Injection
Description
Server-side template injection (SSTI) is a type of vulnerability that occurs when user-supplied data is passed to a web application template engine (CWE-943). It occurs when an application takes user input and uses it to generate and execute a template. This vulnerability can be used to inject malicious code and execute it on the server side, resulting in data leakage and other malicious activities (OWASP Testing Guide).
Risk
The risk of this vulnerability is high as it could lead to data leakage, privilege escalation, or other malicious activities. An attacker could inject malicious code into a web application and gain access to sensitive information or gain elevated privileges on the server.
Solution
The only surefire way to mitigate the risk of SSTI is to use strict input validation. By validating user input, an application can ensure that only expected values are accepted and other malicious code is blocked. Additionally, the application should use a safe template engine that is not vulnerable to SSTI.
Description
Server-side template injection (SSTI) is a type of vulnerability that occurs when user-supplied data is passed to a web application template engine (CWE-943). It occurs when an application takes user input and uses it to generate and execute a template. This vulnerability can be used to inject malicious code and execute it on the server side, resulting in data leakage and other malicious activities (OWASP Testing Guide).
Risk
The risk of this vulnerability is high as it could lead to data leakage, privilege escalation, or other malicious activities. An attacker could inject malicious code into a web application and gain access to sensitive information or gain elevated privileges on the server.
Solution
The only surefire way to mitigate the risk of SSTI is to use strict input validation. By validating user input, an application can ensure that only expected values are accepted and other malicious code is blocked. Additionally, the application should use a safe template engine that is not vulnerable to SSTI.