Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

Cobalt Vulnerability Wiki


V5 - Validation/Sanitization

Server Side Template Injection

POC

To identify SSTI vulnerabilities, it’s recommended to use a Polyglot payload composed of special characters commonly used in template expressions to fuzz the template.

${{<%[%'"}}%.

In case of a vulnerability, an error message can be returned or the exception can be raised by the server. This can be used to identify the vulnerability and the template engine in use.

In general, to identify the vulnerability, the following to-do list can be followed: - Detect where the template injection exist - Identify the template engine and validate the vulnerability - Follow the manuals for the specific template engine - Exploit the vulnerability

Try known syntaxes to see the mathematical operation result as 21 =${73} ={{73}} =<%= 7*3 %>

Note: This is a broad concept, above payload is just an example

Impact

Low-Medium-High (depends on the attack)

Likelihood

Low-Medium-High (depends on the attack)