exploiting server side template injection with tplmap
play

EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP BY: DIVINE - PowerPoint PPT Presentation

Sep 22, 2022 •641 likes •818 views

EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP BY: DIVINE SELORM TSA 18 AUG 2018 Outline Introduction Template Engines SSTI SSTI Methodology Tplmap Demo Remediation What is a template engine? Helps

  1. EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP BY: DIVINE SELORM TSA 18 AUG 2018

  2. Outline • Introduction • Template Engines • SSTI • SSTI Methodology • Tplmap • Demo • Remediation

  3. What is a template engine? • Helps populate dynamic data into modern web pages • Enables developers to separate data processing logic and presentation code • Offers rich functionality through Wikis, CMS, blogs • Uses: – Displays information about users, products, companies – Displays gallery of photos, videos.. – Sends bulk emails

  4. Example: jinja

  5. Popular Template Engines • PHP – Smarty, Twigs • JAVA – Velocity, Freemaker • Python – JINJA, Mako, Tornado • JavaScript – Jade, Rage • Ruby - Liquid

  6. What is template injection?

  7. What is template injection? • Occurs when invalid user input is embedded into the template engine • Often XSS attack occurs but SSTI can be missed • Can lead to a remote code execution (RCE) • Developer error or intentional exposure

  8. Methodology (based on James Kettle’s research) https://portswigger.net/blog/server-side-template-injection

  9. Detect • Wappalyzer + builtwith + vulners scanner • Test fuzzing – Tips: – Trying a basic XSS – Trying a math expression {{2*2}}

  10. Identify

  11. Exploit • Read • Explore • Attack

  12. Tplmap • Tplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with a number of sandbox escape techniques to get access to the underlying operating system. • The tool and its test suite are developed to research the SSTI vulnerability class and to be used as offensive security tool during web application penetration tests. https://github.com/epinna/tplmap

  13. Demo - Tplmap

  14. Remediation • Sanitization – Sanitize user input before passing it into the templates • Complementary approach – Use a sandbox within a safe environment

  15. Q&A

  16. References • https://portswigger.net/blog/server-side- template-injection • https://github.com/epinna/tplmap • https://www.okiok.com/server-side-template- injection-from-detection-to-remote-shell/ • https://www.we45.com/blog/server-side- template-injection-a-crash-course-

Recommend

Server-side Web Security: SQL Injection Attacks & XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks & XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks & XSS CS 161: Computer Security Prof. David Wagner February 12, 2014 SQL Injection Scenario Suppose web server front end stores URL parameter recipient in variable $recipient and

656 views • 37 slides
Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks

Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks

Web Securi rity ty Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks on the web server malicious input web server er output This can be attacks on Availability: i.e. DoS attack, where attacker

1.86k views • 79 slides
Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius Ste ff ens German OWASP Day 2018 joint work with Christian Rossow, Martin Johns and Ben Stock Dimensions of Cross-Site Scripting Server Client

413 views • 14 slides
Cl Clien ient-side side sec ecurity urity ri risk sks s esp. . HTML TML injection

Cl Clien ient-side side sec ecurity urity ri risk sks s esp. . HTML TML injection

Web b Securi urity ty Cl Clien ient-side side sec ecurity urity ri risk sks s esp. . HTML TML injection jection and nd XSS SS (Cross oss Si Site te Sc Scripting ipting) 1 Last week malicious input brow owser ser web

844 views • 67 slides
Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a

Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a

Session 19 Server Side Scripting Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a server script provides a way to extend an html page to include logic and insertion of data Understand the

612 views • 12 slides
An Introduction to Php for Web API Principle of server side script WEB Client WEB SERVER html

An Introduction to Php for Web API Principle of server side script WEB Client WEB SERVER html

An Introduction to Php for Web API Principle of server side script WEB Client WEB SERVER html document SCRIPT HTTP SCRIPT Script engine Pages are generated by a program A html document at the server side includes the code to be

741 views • 72 slides
SQL Injection: Summary Target: web server that uses a back-end database Attacker goal:

SQL Injection: Summary Target: web server that uses a back-end database Attacker goal:

SQL Injection: Summary Target: web server that uses a back-end database Attacker goal: inject or modify database commands to either read or alter web-site information Attacker tools: ability to send requests to web server (e.g.,

89 views • 4 slides
SQL Injection Slides thanks to Prof. Shmatikov at UT Austin Dynamic Web Application GET /

SQL Injection Slides thanks to Prof. Shmatikov at UT Austin Dynamic Web Application GET /

SQL Injection Slides thanks to Prof. Shmatikov at UT Austin Dynamic Web Application GET / HTTP/1.0 Browser Web server HTTP/1.1 200 OK index.php Database server slide 2 PHP: Hypertext Preprocessor Server scripting language with C-like

601 views • 23 slides
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: "SELECT

445 views • 32 slides
COMP7306: Web technologies Server-side Web programming 6 February 2013 1 / 73 Pierre Senellart

COMP7306: Web technologies Server-side Web programming 6 February 2013 1 / 73 Pierre Senellart

COMP7306: Web technologies Server-side Web programming 6 February 2013 1 / 73 Pierre Senellart Licence de droits dusage Outline HTML forms Principles Input fields Server-side languages An example: PHP Introduction to database

1.08k views • 74 slides
Adaptive Mobile Web Design with a server side flavour James Rosewell & Thomas Holmes 1st

Adaptive Mobile Web Design with a server side flavour James Rosewell & Thomas Holmes 1st

Adaptive Mobile Web Design with a server side flavour James Rosewell & Thomas Holmes 1st June 2012 Explain Server Side options Objective = Efficient use of 1. your time 2. resources (server, client and data network) 1st June 2012 Agenda

626 views • 51 slides
Exploiting Branch Target Injection Jann Horn, Google Project Zero 1 Outline Introduction

Exploiting Branch Target Injection Jann Horn, Google Project Zero 1 Outline Introduction

Exploiting Branch Target Injection Jann Horn, Google Project Zero 1 Outline Introduction Reverse-engineering branch prediction Leaking host memory from KVM 2 Disclaimer I haven't worked in CPU design I don't

670 views • 40 slides
Web Server Design Lecture 9 Server-Side Execution Old Dominion University Department of

Web Server Design Lecture 9 Server-Side Execution Old Dominion University Department of

Web Server Design Lecture 9 Server-Side Execution Old Dominion University Department of Computer Science CS 431/531 Fall 2019 Sawood Alam <salam@cs.odu.edu> 2019-10-24 Original slides by Michael L. Nelson Common Gateway Interface

653 views • 16 slides
SERVER-SIDE RENDERING ISN'T ENOUGH SERVER-SIDE RENDERING ISN'T ENOUGH MATTHEW PHILLIPS MATTHEW

SERVER-SIDE RENDERING ISN'T ENOUGH SERVER-SIDE RENDERING ISN'T ENOUGH MATTHEW PHILLIPS MATTHEW

SERVER-SIDE RENDERING ISN'T ENOUGH SERVER-SIDE RENDERING ISN'T ENOUGH MATTHEW PHILLIPS MATTHEW PHILLIPS GITHUB.COM/CANJS/CAN-SSR GITHUB.COM/CANJS/CAN-SSR TERMS TERMS Shared codebase Isomorphic Universal WHY BOTHER WHY BOTHER This sucks

453 views • 29 slides
Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client Client Side Server Side Web Server Database Web Browser Cookies The big picture key/value pairs data Client Side Server Side HTTP request

783 views • 13 slides
Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels

Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels

Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels Samwel, Lejla Batina and Joan Daemen Africacrypt Conference 2020 July 2020 Side Channel Attack Introduction A side-channel is any unintentional

375 views • 36 slides
CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side Server Side Web Server Web Browser Web Technologies Content Resources Presentation management Client Side Processing Multimedia The evolution of

1.24k views • 23 slides
Server and Threads vanilladb.org Where are we? VanillaCore JDBC Interface (at Client Side)

Server and Threads vanilladb.org Where are we? VanillaCore JDBC Interface (at Client Side)

Server and Threads vanilladb.org Where are we? VanillaCore JDBC Interface (at Client Side) Remote.JDBC (Client/Server) Server Query Interface Tx Planner Parse Algebra Storage Interface Sql/Util Concurrency Recovery Metadata Index

787 views • 66 slides
Server Side Internet Programming Objectives The basics of servlets mapping and

Server Side Internet Programming Objectives The basics of servlets mapping and

Server Side Internet Programming Server Side Internet Programming Objectives The basics of servlets mapping and configuration compilation and execution Cookies and sessions Request and session attributes JSP execution,

946 views • 53 slides
Server-side Scripting Slides courtesy of Xenia Mountrouidou URLs and web servers 2

Server-side Scripting Slides courtesy of Xenia Mountrouidou URLs and web servers 2

Server-side Scripting Slides courtesy of Xenia Mountrouidou URLs and web servers 2 http://server/path/file Usually when you type a URL in your browser: Your computer looks up the server's IP address using DNS Your browser connects

645 views • 36 slides
Perl/CGI Perl/CGI is a server-side scripting language, used to run arbitrary programs within the

Perl/CGI Perl/CGI is a server-side scripting language, used to run arbitrary programs within the

Perl/CGI Perl/CGI is a server-side scripting language, used to run arbitrary programs within the web server. The web server is configured to understand the Perl scripts and to execute them. The web server on CCC is configured to connect to both

352 views • 7 slides
Server side basics 1 CS380 URLs and web servers 2 http://server/path/file Usually when you

Server side basics 1 CS380 URLs and web servers 2 http://server/path/file Usually when you

Server side basics 1 CS380 URLs and web servers 2 http://server/path/file Usually when you type a URL in your browser: Your computer looks up the server's IP address using DNS Your browser connects to that IP address and requests

732 views • 39 slides
Control What You Include! Server-Side Protec7on against Third

Control What You Include! Server-Side Protec7on against Third

Control What You Include! Server-Side Protec7on against Third Party Web Tracking Dolire Francis Som, Nataliia Bielova, Tamara Rezk Privaski 2017

567 views • 18 slides
Internet Engineering: Server Side Development Ali Kamandi Sharif University of Technology

Internet Engineering: Server Side Development Ali Kamandi Sharif University of Technology

Internet Engineering: Server Side Development Ali Kamandi Sharif University of Technology kamandi@ce.sharif.edu Fall 2007 HyperText Transfer Protocol Web Server Client Request Response Open a connection Make a request Server

818 views • 54 slides

More recommend