Nasreddine Bencherchali
598d29f811
chore: change tags, date, modified fields to comply with v2 of the Sigma spec. chore: update the related type from `obsoletes` to `obsolete`. chore: update local json schema to the latest version.
36 lines
1.2 KiB
YAML
36 lines
1.2 KiB
YAML
title: Server Side Template Injection Strings
|
|
id: ada3bc4f-f0fd-42b9-ba91-e105e8af7342
|
|
status: test
|
|
description: Detects SSTI attempts sent via GET requests in access logs
|
|
references:
|
|
- https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
|
|
- https://github.com/payloadbox/ssti-payloads
|
|
author: Nasreddine Bencherchali (Nextron Systems)
|
|
date: 2022-06-14
|
|
tags:
|
|
- attack.defense-evasion
|
|
- attack.t1221
|
|
logsource:
|
|
category: webserver
|
|
detection:
|
|
select_method:
|
|
cs-method: 'GET'
|
|
keywords:
|
|
- '={{'
|
|
- '=%7B%7B'
|
|
- '=${'
|
|
- '=$%7B'
|
|
- '=<%='
|
|
- '=%3C%25='
|
|
- '=@('
|
|
- 'freemarker.template.utility.Execute'
|
|
- .getClass().forName('javax.script.ScriptEngineManager')
|
|
- 'T(org.apache.commons.io.IOUtils)'
|
|
filter:
|
|
sc-status: 404
|
|
condition: select_method and keywords and not filter
|
|
falsepositives:
|
|
- User searches in search boxes of the respective website
|
|
- Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
|
|
level: high
|