Skip to content

SSTI (Server-Side Template Injection)

Description

Server-Side Template Injection occurs when an attacker can inject arbitrary content into a template, which is then executed and rendered on the server. This can lead to a variety of attacks, such as remote code execution, information disclosure, and more. It's especially dangerous in environments where the template engine has functionalities that allow shell command execution or other powerful capabilities.

Remediation

To prevent SSTI:

  1. Always validate and sanitize user input rigorously.
  2. If possible, avoid passing user input directly to template engines.
  3. Make sure to use the latest versions of template engines which might have patches for known vulnerabilities.
  4. Restrict template engine's capabilities if possible, so that even if an injection occurs, the impact can be minimized.

REST Specific

Asp_net To mitigate Server-Side Template Injection in ASP.NET, ensure that user input is strictly validated and sanitized before being passed to the template engine. Employ context-specific escaping and adhere to the principle of least privilege by restricting template engine permissions. Additionally, update to the latest version of the template engine and ASP.NET framework to benefit from security patches.
Ruby_on_rails In Ruby on Rails, ensure that user input is sanitized before being passed to the template engine. Use Rails' built-in escaping mechanisms to prevent the injection of malicious content. Additionally, configure the template engine to disable potentially dangerous features and adhere to the principle of least privilege, granting minimal permissions necessary for templates to function.
Next_js To mitigate Server-Side Template Injection in Next.js, ensure user input is properly sanitized and validated before being passed to template engines. Employ context-aware escaping and adhere to the principle of least privilege by restricting template engine permissions. Regularly update Next.js and its dependencies to incorporate security patches.
Laravel In Laravel, always ensure that user input is sanitized before being passed to the template engine. Use Laravel's built-in escaping functions, such as '{{ }}' for output, and avoid using '{!! !!}' which does not escape content. Additionally, adhere to the principle of least privilege by restricting template engine permissions and capabilities.
Express_js To mitigate Server-Side Template Injection in Express.js, ensure that user input is properly sanitized and validated before being passed to the template engine. Use context-aware escaping and adhere to the principle of least privilege by restricting template engine permissions. Additionally, avoid using eval() or allowing the execution of arbitrary code within templates. Keep the template engine and its dependencies up-to-date with the latest security patches.
Django In Django, ensure that you are using the latest version of the framework, as it includes built-in protections against SSTI. Always escape user input using Django's template system, which by default escapes variables unless explicitly told not to. Avoid using the 'safe' filter or marking content as 'mark_safe' unless absolutely necessary and you're sure about the safety of the content. Additionally, never allow user input to control the names of template tags or filters.
Symfony In Symfony, ensure that user input is never directly passed into the template engine. Use the 'escape' function to sanitize output, adhere to the principle of least privilege when configuring template permissions, and employ a Content Security Policy (CSP) to mitigate the risk of XSS attacks. Additionally, regularly update the Symfony framework and its dependencies to incorporate security patches.
Spring_boot In Spring Boot applications, to prevent Server-Side Template Injection, ensure that user input is never directly passed into template engines. Always sanitize and validate all user inputs. Use context-aware escaping and adhere to the principle of least privilege when configuring template engine permissions. Additionally, keep all dependencies, including the template engine, up to date with the latest security patches.
Flask To mitigate Server-Side Template Injection in Flask, ensure that user input is properly sanitized before being passed to the template engine. Use the Jinja2 sandboxed environment to restrict the template's capabilities, and avoid using functions like 'from_string' that compile templates from user inputs. Additionally, always keep the Jinja2 library up-to-date with the latest security patches.
Nuxt To mitigate Server-Side Template Injection in Nuxt.js, ensure that user input is properly sanitized and validated before being passed to the template engine. Utilize built-in escaping mechanisms to prevent the injection of malicious code. Additionally, adhere to the principle of least privilege by restricting template engine permissions and avoid using dangerous functions that can execute system-level commands. Keep Nuxt.js and its dependencies up to date to benefit from the latest security patches.
Fastapi To mitigate Server-Side Template Injection in FastAPI, ensure that user input is properly sanitized and validated before being passed to the template engine. Use built-in escaping mechanisms provided by the template engine, and avoid allowing users to control template logic or structure. Additionally, configure the template engine to disable or restrict dangerous functionalities that can execute arbitrary code. Regularly update FastAPI and its dependencies to incorporate security fixes.
Frappe Validate and sanitize all user inputs before rendering them in templates, and use a secure template engine configuration that disables or restricts execution of arbitrary code.
Genzio Validate and sanitize all user inputs before processing them in templates, and use a secure template engine configuration that disables or restricts execution of arbitrary code.
Gin Validate and sanitize all user inputs before rendering them in templates, and use a secure template engine that does not allow arbitrary code execution.
Gorilla Validate and sanitize all user inputs before processing them in the Gorilla framework's template engine to prevent injection of malicious content.
Hapi Use a safe template engine like Nunjucks with context isolation and avoid using user input directly in templates in the Hapi framework.
Hono Validate and sanitize all user inputs before processing them in templates, and use a secure template engine that does not allow arbitrary code execution.
Jersey Validate and sanitize all user inputs before processing them in templates, and use a secure template engine configuration that disables or restricts execution of arbitrary code.
Koa Validate and sanitize all user inputs before rendering templates, and use a secure template engine that does not allow code execution, such as Nunjucks with sandboxing enabled.
Ktor Validate and sanitize all user inputs before processing them in templates, and use a secure template engine configuration that disables or restricts execution of arbitrary code.
Leptos Validate and sanitize all user inputs before processing them in templates to prevent injection of malicious content.
Macaron Validate and sanitize all user inputs before processing them in templates, and use a secure template engine configuration that disables or restricts execution of arbitrary code.
Phoenix Use Phoenix's built-in templating functions and avoid executing user input directly in templates to prevent SSTI vulnerabilities.
Redwoodjs Validate and sanitize all user inputs before rendering them in templates, and use a secure template engine that does not allow arbitrary code execution.
Rocket Validate and sanitize all user inputs before processing them in the Rocket framework's template engine to prevent injection of malicious content.
Sveltekit Ensure that user inputs are properly sanitized and validated before being used in templates, and avoid using template engines that allow direct execution of code. Consider using a secure templating library that automatically escapes user inputs.

Configuration

Identifier: injection/ssti

Examples

Ignore this check

checks:
  injection/ssti:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API10:2023
  • OWASP LLM: LLM06:2023
  • pci: 6.5.1
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-6

Classification

  • CWE: 94

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C
  • CVSS_SCORE: 6.8

References