heqnx - .:: SSTI Discovery in Python ::.

.:: SSTI Discovery in Python ::.

Server-Side Template Injection (SSTI) is a critical vulnerability in web
applications that allows attackers to inject malicious template code,
potentially leading to remote code execution (RCE). This research presents a
Python-based tool designed to identify and analyze SSTI vulnerabilities in
Jinja2 templates, a popular templating engine. By dynamically importing modules
and enumerating their attributes, the tool discovers potential RCE vectors,
enabling security researchers to assess and mitigate SSTI risks effectively.

[ Introduction ]

The tool leverages Python's importlib to dynamically import user-specified
modules and a custom enumeration function to inspect their attributes, globals,
and subclasses. By simulating Flask and Django contexts, it identifies paths to
potentially dangerous objects like os.system or subprocess.Popen, which are
common SSTI exploit primitives.

Note that False Positives are common and most vectors should be tested manually.
Currently, the tool works by potentially dangerous functions, modules and
keywords.

The tool code repository is located at https://cgit.heqnx.com/ssti-discovery and
can be cloned easily with git clone https://cgit.heqnx.com/ssti-discovery.

[ Tool Usage ]

$ python3 ssti-discovery.py -h
usage: ssti-discovery.py [-h] --module MODULE [--framework {jinja2,django}] [--output OUTPUT]

SSTI RCE Vector Discovery Tool

options:
  -h, --help            show this help message and exit
  --module MODULE       Module to import (e.g., os, numpy, myutils)
  --framework {jinja2,django}
                        Template framework to simulate (jinja2 or django)
  --output OUTPUT       Output file for results (default: console)

[ Tool Output Example ]

$ python3 ssti-discovery.py --module numpy --framework jinja2
{
  "module": "numpy",
  "framework": "jinja2",
  "rce_vectors": [
    {
      "path": "dict.__subclasses__.CallbackDict",
      "type": "potentially dangerous class, investigate manually",
      "details": "access to CallbackDict"
    },
    {
      "path": "lipsum.__globals__.os",
      "type": "potentially dangerous module, investigate manually",
      "details": "access to 'os' module"
    },
    {
      "path": "joiner.__call__",
      "type": "potentially dangerous function, investigate manually",
      "details": "access to '__call__' function"
    },
    {
      "path": "joiner.__call__.__globals__.os",
      "type": "potentially dangerous module, investigate manually",
      "details": "access to 'os' module"
    },
    {
      "path": "namespace.__getattribute__.__globals__.os",
      "type": "potentially dangerous module, investigate manually",
      "details": "access to 'os' module"
    },
    {
      "path": "request._load_form_data",
      "type": "potentially dangerous function, investigate manually",
      "details": "access to '_load_form_data' function"
    }
  ]
}

[ Payload Testing ]

The ssti-app.py is a Python-based tool built with Flask and Jinja2 to
help in identifying and testing Server-Side Template Injection payloads.
This tool provides a controlled environment to execute and analyze Jinja2
template payloads, enabling users to explore potential remote code execution
(RCE) vectors in web applications.

The tool accepts command-line arguments to import Python modules (e.g., os,
subprocess) into the Jinja2 environment, simulating real-world scenarios where
sensitive modules might be exposed. The Flask webapp runs on localhost on port
:5000. A basic index.html interface (served at /) allows for easy interaction,
making it accessible for both manual and automated testing.