Nasreddine Bencherchali
33 lines
1.1 KiB
YAML
33 lines
1.1 KiB
YAML
title: Server Side Template Injection Strings
|
|
id: ada3bc4f-f0fd-42b9-ba91-e105e8af7342
|
|
status: experimental
|
|
description: Detects SSTI attempts sent via GET requests in access logs
|
|
references:
|
|
- https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
|
|
- https://github.com/payloadbox/ssti-payloads
|
|
author: Nasreddine Bencherchali (Nextron Systems)
|
|
date: 2022/06/14
|
|
logsource:
|
|
category: webserver
|
|
detection:
|
|
select_method:
|
|
cs-method: 'GET'
|
|
keywords:
|
|
- '={{'
|
|
- '=%7B%7B'
|
|
- '=${'
|
|
- '=$%7B'
|
|
- '=<%='
|
|
- '=%3C%25='
|
|
- '=@('
|
|
- 'freemarker.template.utility.Execute'
|
|
- .getClass().forName('javax.script.ScriptEngineManager')
|
|
- 'T(org.apache.commons.io.IOUtils)'
|
|
filter:
|
|
sc-status: 404
|
|
condition: select_method and keywords and not filter
|
|
falsepositives:
|
|
- User searches in search boxes of the respective website
|
|
- Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
|
|
level: high
|