Sergey Nivens - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How can new template injection vulnerabilities be stopped?

A newly discovered injection vulnerability affecting template engines could spell trouble for enterprises. Expert Michael Cobb explains how to stop it.

A new vulnerability was disclosed at Black Hat 2015 called "server-side template injection." What's the difference...

between cross-site scripting and server-side template injection vulnerabilities? Are the defense strategies different?

Validating and sanitizing input received from untrusted sources is a key rule software developers have to follow to prevent an array of malicious code injection attacks such as cross-site scripting (XSS) and SQL injection. Despite sanitization of user input being a core principle of secure programming, instances where data hasn't been sanitized continue to occur and create holes through which hackers can attack users and systems. Researchers at Web security firm PortSwigger, which makes the Web application security testing tool Burp Suite, have recently discovered a relatively unknown class of injection vulnerabilities they've dubbed server-side template injections.

Template engines are widely used to separate the program logic of a website from the presentation layer; wikis, blogs and content management systems all tend to use template engines. Not only is this good programming practice, but it also makes it easier for employees with little-to-no knowledge of HTML to update and maintain the content of a website or compose HTML-formatted emails. They also allow professional Web designers to reuse code to create sites more quickly and efficiently. Popular template engines include Twig, Jade and XWiki Enterprise.

Some engines use simple string interpolation where placeholders are replaced by data. For example, an email template may begin with "Dear {user_firstname}" with the engine replacing "user_firstname" with first names from the underlying database. Other templates allow what's called "if-defined-conditionals" to test the presence or absence of data, while others include additional flexibility, such as for-each loops, recursive macros and embedded expressions to offer richer functionality.

It's essential that code within the template engine residing on the server validates and sanitizes any user-supplied input and content that's added to the template; otherwise, a server-side template injection attack is possible. Unlike XSS attacks, it can be used to directly attack the underlying Web server, not just its users. Even though some template engines implement a form of sandboxing to restrict access to more powerful functions and to enable the safe processing of untrusted input, PortSwigger found many of these implementations could be bypassed by this injection attack. This research paper explains a methodology for detecting and exploiting template injection vulnerabilities, and demonstrates various exploits against five of the most popular template engines, including escapes from sandboxes.

PortSwigger isn't sure how prevalent template injection attacks are, but it intends to enable Burp Suite to detect these kinds of injection vulnerabilities. Simple and relatively flat template engines such as Mustache don't pose a risk; users can't call arbitrary functions from the template language, though HTML output still needs to be sanitized. MediaWiki, the open source template engine behind Wikipedia, is a more flexible engine and its sandboxed environment, according to PortSwigger, appears to do a good job at preventing access to potentially dangerous modules and functions.

What this research shows is that enterprise development teams cannot blindly rely on website development tools to implement best practices. Security teams need to carefully assess how any template engine handles user input and whether any built-in security checks or sandboxing can be circumvented. Reading any accompanying documentation may reveal obvious shortcomings in input sanitization, but analysts should scrutinize the template's code and what the engine actually does with user input and test to see if security checks can be thwarted. One mitigation technique would be to sandbox the template engine inside a hardened Docker container to trap any malicious code execution.

Next Steps

Learn how to prevent SQL injection attacks by validating user input

Read about the differences between XSS and XSSI flaws

Discover how software transplants can fix bad code

This was last published in January 2016

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)