exploiting server side template injection with tplmap
play

EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP BY: DIVINE - PowerPoint PPT Presentation

Sep 22, 2022 •641 likes •818 views

EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP BY: DIVINE SELORM TSA 18 AUG 2018 Outline Introduction Template Engines SSTI SSTI Methodology Tplmap Demo Remediation What is a template engine? Helps

  1. EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP BY: DIVINE SELORM TSA 18 AUG 2018

  2. Outline • Introduction • Template Engines • SSTI • SSTI Methodology • Tplmap • Demo • Remediation

  3. What is a template engine? • Helps populate dynamic data into modern web pages • Enables developers to separate data processing logic and presentation code • Offers rich functionality through Wikis, CMS, blogs • Uses: – Displays information about users, products, companies – Displays gallery of photos, videos.. – Sends bulk emails

  4. Example: jinja

  5. Popular Template Engines • PHP – Smarty, Twigs • JAVA – Velocity, Freemaker • Python – JINJA, Mako, Tornado • JavaScript – Jade, Rage • Ruby - Liquid

  6. What is template injection?

  7. What is template injection? • Occurs when invalid user input is embedded into the template engine • Often XSS attack occurs but SSTI can be missed • Can lead to a remote code execution (RCE) • Developer error or intentional exposure

  8. Methodology (based on James Kettle’s research) https://portswigger.net/blog/server-side-template-injection

  9. Detect • Wappalyzer + builtwith + vulners scanner • Test fuzzing – Tips: – Trying a basic XSS – Trying a math expression {{2*2}}

  10. Identify

  11. Exploit • Read • Explore • Attack

  12. Tplmap • Tplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with a number of sandbox escape techniques to get access to the underlying operating system. • The tool and its test suite are developed to research the SSTI vulnerability class and to be used as offensive security tool during web application penetration tests. https://github.com/epinna/tplmap

  13. Demo - Tplmap

  14. Remediation • Sanitization – Sanitize user input before passing it into the templates • Complementary approach – Use a sandbox within a safe environment

  15. Q&A

  16. References • https://portswigger.net/blog/server-side- template-injection • https://github.com/epinna/tplmap • https://www.okiok.com/server-side-template- injection-from-detection-to-remote-shell/ • https://www.we45.com/blog/server-side- template-injection-a-crash-course-

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Server-side Web Security: SQL Injection Attacks & XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks & XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks & XSS CS 161: Computer Security Prof. David Wagner February 12, 2014 SQL Injection Scenario Suppose web server front end stores URL parameter recipient in variable $recipient and

656 views • 37 slides
Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks

Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks

Web Securi rity ty Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks on the web server malicious input web server er output This can be attacks on Availability: i.e. DoS attack, where attacker

1.86k views • 79 slides
Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius Ste ff ens German OWASP Day 2018 joint work with Christian Rossow, Martin Johns and Ben Stock Dimensions of Cross-Site Scripting Server Client

413 views • 14 slides
Cl Clien ient-side side sec ecurity urity ri risk sks s esp. . HTML TML injection

Cl Clien ient-side side sec ecurity urity ri risk sks s esp. . HTML TML injection

Web b Securi urity ty Cl Clien ient-side side sec ecurity urity ri risk sks s esp. . HTML TML injection jection and nd XSS SS (Cross oss Si Site te Sc Scripting ipting) 1 Last week malicious input brow owser ser web

844 views • 67 slides
Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a

Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a

Session 19 Server Side Scripting Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a server script provides a way to extend an html page to include logic and insertion of data Understand the

612 views • 12 slides
An Introduction to Php for Web API Principle of server side script WEB Client WEB SERVER html

An Introduction to Php for Web API Principle of server side script WEB Client WEB SERVER html

An Introduction to Php for Web API Principle of server side script WEB Client WEB SERVER html document SCRIPT HTTP SCRIPT Script engine Pages are generated by a program A html document at the server side includes the code to be

741 views • 72 slides
SQL Injection: Summary Target: web server that uses a back-end database Attacker goal:

SQL Injection: Summary Target: web server that uses a back-end database Attacker goal:

SQL Injection: Summary Target: web server that uses a back-end database Attacker goal: inject or modify database commands to either read or alter web-site information Attacker tools: ability to send requests to web server (e.g.,

89 views • 4 slides
SQL Injection Slides thanks to Prof. Shmatikov at UT Austin Dynamic Web Application GET /

SQL Injection Slides thanks to Prof. Shmatikov at UT Austin Dynamic Web Application GET /

SQL Injection Slides thanks to Prof. Shmatikov at UT Austin Dynamic Web Application GET / HTTP/1.0 Browser Web server HTTP/1.1 200 OK index.php Database server slide 2 PHP: Hypertext Preprocessor Server scripting language with C-like

601 views • 23 slides
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: "SELECT

445 views • 32 slides
COMP7306: Web technologies Server-side Web programming 6 February 2013 1 / 73 Pierre Senellart

COMP7306: Web technologies Server-side Web programming 6 February 2013 1 / 73 Pierre Senellart

COMP7306: Web technologies Server-side Web programming 6 February 2013 1 / 73 Pierre Senellart Licence de droits dusage Outline HTML forms Principles Input fields Server-side languages An example: PHP Introduction to database

1.08k views • 74 slides
Adaptive Mobile Web Design with a server side flavour James Rosewell & Thomas Holmes 1st

Adaptive Mobile Web Design with a server side flavour James Rosewell & Thomas Holmes 1st

Adaptive Mobile Web Design with a server side flavour James Rosewell & Thomas Holmes 1st June 2012 Explain Server Side options Objective = Efficient use of 1. your time 2. resources (server, client and data network) 1st June 2012 Agenda

626 views • 51 slides
Exploiting Branch Target Injection Jann Horn, Google Project Zero 1 Outline Introduction

Exploiting Branch Target Injection Jann Horn, Google Project Zero 1 Outline Introduction

Exploiting Branch Target Injection Jann Horn, Google Project Zero 1 Outline Introduction Reverse-engineering branch prediction Leaking host memory from KVM 2 Disclaimer I haven't worked in CPU design I don't

670 views • 40 slides
Web Server Design Lecture 9 Server-Side Execution Old Dominion University Department of

Web Server Design Lecture 9 Server-Side Execution Old Dominion University Department of

Web Server Design Lecture 9 Server-Side Execution Old Dominion University Department of Computer Science CS 431/531 Fall 2019 Sawood Alam <salam@cs.odu.edu> 2019-10-24 Original slides by Michael L. Nelson Common Gateway Interface

653 views • 16 slides
SERVER-SIDE RENDERING ISN'T ENOUGH SERVER-SIDE RENDERING ISN'T ENOUGH MATTHEW PHILLIPS MATTHEW

SERVER-SIDE RENDERING ISN'T ENOUGH SERVER-SIDE RENDERING ISN'T ENOUGH MATTHEW PHILLIPS MATTHEW

SERVER-SIDE RENDERING ISN'T ENOUGH SERVER-SIDE RENDERING ISN'T ENOUGH MATTHEW PHILLIPS MATTHEW PHILLIPS GITHUB.COM/CANJS/CAN-SSR GITHUB.COM/CANJS/CAN-SSR TERMS TERMS Shared codebase Isomorphic Universal WHY BOTHER WHY BOTHER This sucks

453 views • 29 slides
Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client Client Side Server Side Web Server Database Web Browser Cookies The big picture key/value pairs data Client Side Server Side HTTP request

783 views • 13 slides
Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels

Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels

Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels Samwel, Lejla Batina and Joan Daemen Africacrypt Conference 2020 July 2020 Side Channel Attack Introduction A side-channel is any unintentional

375 views • 36 slides
Practical Exploitation Using A Malicious Service Set Identifier (SSID) Deral Heiland

Practical Exploitation Using A Malicious Service Set Identifier (SSID) Deral Heiland

Practical Exploitation Using A Malicious Service Set Identifier (SSID) Deral Heiland Introduction Deral Heiland, CISSP, GWAPT: Senior Security Engineer at CDW, responsible for security assessments, penetration tests and consulting for

596 views • 58 slides
3D Printed Injection Molds How Companies Are Economically Testing Functional Prototypes with

3D Printed Injection Molds How Companies Are Economically Testing Functional Prototypes with

3D Printed Injection Molds How Companies Are Economically Testing Functional Prototypes with 3DP-IM GIL ROBINSON 1 STRATASYS / THE 3D PRINTING SOLUTIONS COMPANY WE ARE THE 3D PRINTING SOLUTIONS COMPANY 2 FROM SYSTEMS TO SERVICE 3

552 views • 33 slides
Directions of the Accelerator R&D in the US an invitation for discussion at the U. of

Directions of the Accelerator R&D in the US an invitation for discussion at the U. of

On Future HEP Facilities and Directions of the Accelerator R&D in the US an invitation for discussion at the U. of Chicago Workshop , Feb 25-26,. 2013 Vladimir Shiltsev (Fermilab) V.Shiltsev - UChicago 02/25/13 1 Content

356 views • 21 slides
Lecture 2: Homotopical Algebra Nicola Gambino School of Mathematics University of Leeds Young

Lecture 2: Homotopical Algebra Nicola Gambino School of Mathematics University of Leeds Young

Lecture 2: Homotopical Algebra Nicola Gambino School of Mathematics University of Leeds Young Set Theory Copenhagen June 13th, 2016 1 Homotopical algebra Motivation Axiomatic development of homotopy theory Addressing size issues in

477 views • 24 slides
Disclosures None How to Do a Knee Injection UCSF Primary Care Sports Medicine Conference 2018

Disclosures None How to Do a Knee Injection UCSF Primary Care Sports Medicine Conference 2018

Disclosures None How to Do a Knee Injection UCSF Primary Care Sports Medicine Conference 2018 Carlin Senter, MD Associate Professor Co-Director UCSF Sports Concussion Program Primary Care Sports Medicine University of California San

159 views • 5 slides
LVI Hijacking Transient Execution with Load Value Injection Daniel Gruss, Daniel Moghimi, Jo Van

LVI Hijacking Transient Execution with Load Value Injection Daniel Gruss, Daniel Moghimi, Jo Van

LVI Hijacking Transient Execution with Load Value Injection Daniel Gruss, Daniel Moghimi, Jo Van Bulck Hardwear.io Virtual Con, April 30, 2020 1 Daniel Gruss, Daniel Moghimi, Jo Van Bulck National Geographic Processor security: Hardware

1.47k views • 120 slides
Attacks August 28, 2019 Conference on Cryptographic Hardware and Atlanta, USA Embedded Systems

Attacks August 28, 2019 Conference on Cryptographic Hardware and Atlanta, USA Embedded Systems

Shaping th the Glit litch: Claudio Bozzato 4 Riccardo Focardi 12 Francesco Palmarini 13 Optimizing Volt ltage 1 Ca Foscari University of Venice, 2 Cryptosense, Fault In Inje jection 3 Yarix, 4 Talos Attacks August 28, 2019 Conference on

369 views • 35 slides
Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security

Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security

Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security Web security, part 2 Announcements intermission Stephen McCamant Confidentiality and privacy University of Minnesota, Computer Science &

892 views • 6 slides

More recommend