Server-Side Template Injection: RCE for the modern webapp James Kettle - @ - ***@albinowax Abstract Template engines are widely used by web applications to present dynamic data via web pages and emails. Unsafely embedding user input in templates enables Server-Side Template Injection, a frequently critical vulnerability that is extremely easy to mistake for Cross-Site Scripting (XSS), or miss entirely. Unlike XSS, Template Injection can be used to directly attack web servers' internals and often obtain Remote Code Execution (RCE), turning every vulnerable application into a potential pivot point. Template Injection can arise both through developer error, and through the intentional exposure of templates in an attempt to offer rich functionality, monly done by wikis, blogs, marketing applications and content management systems. Intentional template injection is such mon use-case that many template engines offer a 'sandboxed' mode for this express purpose. This paper defines a methodology for detecting and exploiting template injection, and shows it being applied to craft RCE zerodays for two widely deployed enterprise web applications. Generic exploits are demonstrated for five of the most popular template engines, including escapes from sandboxes whose entire purpose is to handle user- supplied templates in a safe way. Outline Introduction Methodology Detect Identify Exploit Exploit Development FreeMarker Velocity Smarty Twig Jade Case Studies Alfresco XWiki Enterprise Mitigations Conclusion Introduction Web applications frequently use template systems such as Twig1 and FreeMarker2 to embed dynamic content in web pages and emails. Template Injection occurs when user input is embedded in a template in an unsafe manner. Consider a marketing application that sends bulk emails, and uses a Twig template to greet recepients by name. If the name is merely passed in to the template, as in the following example,
