Server-Side Template Injection: RCE for the Modern Web App presented at BSidesManchester 2015

by James Kettle,

Summary : Simple inputs can conceal an {expansive} attack surface. Feature-rich web applications often embed user input in web templates in an attempt to offer flexible functionality and developer shortcuts, creating a vulnerability easily mistaken for XSS. In this presentation, I’ll discuss techniques to recognise template injection, then show how to take template engines on a journey deeply orthogonal to their intended purpose and ultimately gain arbitrary code execution. I’ll show this technique being applied to craft exploits that hijack four popular template engines, then demonstrate RCE on two corporate web applications.
This presentation will also cover techniques for automated detection of template injection, and exploiting subtle, application-specific vulnerabilities that can arise in otherwise secure template systems.