Input Validation / Server-Side Template Injection

Web and API

Description Server-side template injection (SSTI) is a type of vulnerability that occurs when user-supplied data is passed to a web application template engine (CWE-943). It occurs when an application takes user input and uses it to generate and execute a template. This vulnerability can be used to inject malicious code and execute it on the server side, resulting in data leakage and other malicious activities (OWASP Testing Guide).

Risk The risk of this vulnerability is high as it could lead to data leakage, privilege escalation, or other malicious activities. An attacker could inject malicious code into a web application and gain access to sensitive information or gain elevated privileges on the server.

Solution The only surefire way to mitigate the risk of SSTI is to use strict input validation. By validating user input, an application can ensure that only expected values are accepted and other malicious code is blocked. Additionally, the application should use a safe template engine that is not vulnerable to SSTI.

Example In this example, a user is able to inject malicious code into an application due to a lack of input validation:

// user input
{{ config['password'] }}

// code on server
String template = "Hello {{ name }}, your password is {{ config['password'] }}";
String output = templateEngine.render(template);

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.