SSTI (Server-Side Template Injection)
Server-Side Template Injection occurs when an attacker can inject arbitrary content into a template, which is then executed and rendered on the server. This can lead to a variety of attacks, such as remote code execution, information disclosure, and more. It's especially dangerous in environments where the template engine has functionalities that allow shell command execution or other powerful capabilities.
To prevent SSTI:
- Always validate and sanitize user input rigorously.
- If possible, avoid passing user input directly to template engines.
- Make sure to use the latest versions of template engines which might have patches for known vulnerabilities.
- Restrict template engine's capabilities if possible, so that even if an injection occurs, the impact can be minimized.
Ignore this check
- Escape Severity: HIGH
- OWASP: API10:2023
- PCI DSS: 6.5.1
- WASC: WASC-19
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C
- CVSS_SCORE: 6.8