Server-Side Template Injection (SSTI)

https://gitlab.com/jobertabma/vulnerable-code/-/tree/master/ssti?ref_type=heads

Step 1: Understand the Vulnerability

• The provided code sets up a simple Flask web application that is vulnerable to Server-Side Template Injection (SSTI) using the Jinja2 templating engine. The automation script is a Bash script that automates running the Flask application and then opens a web browser to exploit the SSTI vulnerability.

Step 2: Create and Run the Bash Script

1.Create the Bash Script: Create a file named ssti.sh and add the provided Bash script to it.

#!/bin/bash

python ssti/run.py &

open 'http://127.0.0.1:5000/?name={{7*7}}'

wait

- Explanation of the Script:

• Run Flask Application: python ssti/run.py & runs the Flask application in the background. The & symbol allows the script to continue executing while the Flask server runs.

• Open URL: open 'http://127.0.0.1:5000/?name={{7*7}}' opens the default web browser to the specified URL. The URL includes the query parameter name={{7*7}} which is designed to exploit the SSTI vulnerability by executing the expression 7*7 within the Jinja2 template.

• Wait: wait pauses the script until all background jobs (in this case, the Flask server) have completed.

2.Make the Script Executable: Change the script's permissions to make it executable.

chmod +x ssti.sh

3. Run the script:

Expected Outcomes:

• The expected outcome of running the automation script is that your web browser will open and display the result of the SSTI vulnerability exploitation

• Browser Output:

  • Your web browser will open to the URL http://127.0.0.1:5000/?name={{7*7}}.

  • The page displayed will have the following text: