Black Hat 2015 A serious fresh category of web security vulnerability creates the potential for all sorts of mischief, security researchers warn.
Template engines are widely used by web applications in order to present dynamic data via web pages and emails. The technology offers a server-side sandbox. The commonplace practice of allowing untrusted users to edit templates introduces an array of serious risks, which may or may not be evident in the template system's documentation, web security firm PortSwigger warns.
Unsafely embedding user input in templates leads to a vulnerability that might be used to inject malicious code onto a server.
This type of vulnerability – dubbed "server-side template injection" by security researchers at PortSwigger – is distinct from and more serious than cross-site scripting (XSS), a well-known type of web security vulnerability. A upcoming whitepaper from PortSwigger explains:
Unlike XSS, Template Injection can be used to directly attack web servers' internals and often obtain Remote Code Execution (RCE), turning every vulnerable application into a potential pivot point.
Template Injection can arise both through developer error, and through the intentional exposure of templates in an attempt to offer rich functionality, as commonly done by wikis, blogs, marketing applications and content management systems.
Intentional template injection is such a common use-case that many template engines offer a “sandboxed” mode for this express purpose.
"The vulnerability is generic in nature, potentially affecting any web application that uses a template engine in an unsafe way," Dafydd Stuttard, founder and boss of PortSwigger Web Security, told El Reg. "We have identified numerous zero-day instances of the vulnerability in real-world, widely-used applications. The exact frequency of this vulnerability is unknown, but we have repeatedly stumbled upon it on real engagements and easily located several targets for live demonstration."
The presentation is due to include include details of how the vulnerability can be found and exploited, including live demonstrations of exploiting zero-day bugs in two widely used applications to obtain full remote code execution. (Target applications – Alfresco and XWiki Enterprise – will be deployed locally for the purpose of the demos, for legal reasons.)
PortSwigger will release its whitepaper with full technical details of the flaw at the same time as the talk (7pm BST on 5 August). The paper will include proof-of-concept exploits for five of the most popular template engines, including escapes from sandboxes whose entire purpose is to handle user-supplied templates in a safe way. Templating languages including FreeMarker, Velocity6, Smarty, Twig (regular and sandboxed) and Jade are all demonstrably hackable, it seems.
In the conclusion to the paper, PortSwigger explains why the class of vulnerability has gone unnoticed for years.
"Template Injection is only apparent to auditors who explicitly look for it, and may incorrectly appear to be low severity until resources are invested in assessing the template engine's security posture," Kettle writes. "This explains why Template Injection has remained relatively unknown up till now, and its prevalence in the wild remains to be determined."
Technologies designed to prevent templates from doing harm are currently immature, according to PortSwigger, which plans to beef up its bug-hunting Burp Suite web application security tool to detect this class of threat. However, PortSwigger is pitching its research as a means to highlight an overlooked class of web security vulnerability rather than a means to promote its technology.
"By thoroughly documenting this issue, and releasing automated detection via Burp Suite, we hope to raise awareness of it and significantly reduce its prevalence," PortSwigger explains. ®