Crafting DAST Nuclei Templates for OOB Template Engines Injection: A Practical Guide
文章介绍了新发布的DAST(动态应用安全测试)模板,用于检测多种模板引擎和编程框架中的Out-of-Band(OOB)模板注入漏洞。这些模板帮助识别潜在的安全风险如远程代码执行(RCE)、数据泄露等,并提供自动化测试工具和云平台支持以简化协作流程。 2025-1-22 07:14:15 Author: projectdiscovery.io(查看原文) 阅读量:1 收藏

We’re thrilled to announce the release of new DAST Out-of-Band Template Injection Templates tailored for various templating engines and programming frameworks. This update empowers us to assess vulnerabilities and misconfigurations in diverse tech stacks effectively. In this post, we’ll explore automating Out-of-Band Template Injection Testing, crafting custom vulnerability checks, and sharing the findings through the PDCP Cloud for streamlined collaboration.

For those particularly interested in using the OOB Template Engine Injection templates, feel free to skip to the end of the blog

To simplify the process of detecting Out-of-Band (OOB) Template Engine Injection vulnerabilities, we’ve wrote Nuclei templates in YAML format that fuzz for key security issues. These templates target various templating engines, helping quickly identify and assess injection points where user input is improperly handled, potentially leading to security risks like remote code execution (RCE), data leakage, or unauthorized access.

By using these templates, we can streamline Dynamic Application Security Testing (DAST), ensuring that applications are secure and resistant to OOB template injection attacks.

What are DAST Nuclei Templates?

DAST Nuclei Templates are designed to automate dynamic application security testing (DAST) by scanning live applications for vulnerabilities. These templates allow security researchers, penetration testers, and developers to define custom HTTP requests, matchers, and payloads that simulate real-world attacks like SQL injection, XSS, and remote code execution (RCE). By leveraging these templates, users can interact with web applications during runtime to identify vulnerabilities and misconfigurations.

DAST Nuclei templates provide a flexible, automated approach to dynamic testing, enabling users to customize their workflows for in-depth application security assessments. Explore the Fuzzing templates in our documentation for more details.

DAST templates can execute commands on hosts and are not included in default scans. To use these templates, you can run them by providing the
-dast flag.

What Is Template Injection?

Template injection occurs when an attacker injects malicious input into templates processed by templating engines, potentially enabling them to execute unauthorized code or access sensitive data. This type of vulnerability is common in server-side templating engines and requires robust testing for detection and mitigation.

Setup for Template Injection Playground

  1. Clone the Repository
  1. Navigate to the Directory
  1. Start the Docker Container
  1. Get the container ID , image name, port number using

  1. Use the container ID to inspect the container

  1. Look for the "IPAddress" under the "Networks" section in the output.

  1. Navigate to the IPAddress with the Port number and Observe the response.

Example:

  • In this example, we'll create a DAST template to detect Groovy Out-of-Band (OOB) Template Engine Injection. We'll begin by identifying the fingerprint and then check for the OOB vulnerability in the vulnerable setup.
/Groovy - is the route or path where the vulnerable Groovy setup is located.

  • Provide some random input in the name field, click on "Submit," and then observe the response in Burp Suite.

  • It can be observed that the input is being reflected in the response.

The payload ${7*7} is a simple example of a Groovy Template Engine Injection attempt. Here's a breakdown for a beginner:

  • ${7*7} is a special part of the payload that uses Groovy's template syntax. Anything inside ${} is treated as an expression by the Groovy Template Engine.
  • In this case, 7*7 is an arithmetic operation, and the engine will calculate the result when it processes the input.

If this payload is processed by a vulnerable application using Groovy Template Engine, the output might look like this

  • The key idea here is that the ${} syntax is used to evaluate and inject dynamic content (in this case, the result of the multiplication) into the output. If the application doesn't properly filter or sanitize user input, this could be exploited.

SSTI to OOB Exploitation:

To escalate a Server-Side Template Injection (SSTI) vulnerability to execute system-level commands, you can use an Out-of-Band (OOB) exploitation technique. Here’s an updated payload:

Explanation:

  • nslookup -type=SRV: This command is used to query DNS SRV records for the specified domain.
  • '9zngatihqnif00r6i461uq.oastify.com': This domain is used to trigger a callback to your Out-of-Band (OOB) service (in this case, an OAST service).
  • .execute(): Executes the nslookup command on the target system.
  • .text: Captures the output of the command as text.

This payload, when executed, sends a DNS request to the specified OAST domain. By tracking the callback, you can confirm that the SSTI vulnerability is exploitable, potentially leading to further system-level command execution.

Using -type=SRV in a DNS callback payload helps reduce false positives by targeting only SRV record queries. SRV records are less common, so this makes the test more specific to the target system. It reduces noise from unrelated queries and minimizes interference from recursive resolvers. This ensures the callback results from the actual exploitation attempt.

Crafting a DAST OOB Nuclei Template:

Here’s the template for OOB - Groovy Template Injection in DAST format

HTTP Section:

  • pre-condition: Specifies that the template should run only for HTTP GET requests.
  • payloads: Contains the Groovy template injection payload. This payload uses Out-of-Band (OOB) DNS requests for tracking.

This payload will execute nslookup -type=SRV on a vulnerable server to make a DNS request to an Interactsh URL.

Fuzzing:

  • Defines the part of the HTTP request to fuzz (in this case, the query parameter) and applies the payload injection.

Matchers:

  • request-matcher: Checks if the response contains DNS (dns) and SRV records (srv). This indicates a successful OOB interaction, confirming the vulnerability.

How to Run the DAST Nuclei Templates ?

  • To run the DAST Nuclei template, use the following command:
  • Make sure to include the -dast flag when running the DAST template you create.

Uploading Results to ProjectDiscovery Cloud Platform

To upload results to the cloud, you need to obtain an authentication token. Here are the steps to follow:

  1. Go to PDCP Cloud and log in to your account.
  2. Click on your profile picture in the top-right corner and select API key.
  3. Copy your API key, and in your terminal, type 

Now you're all set to run the templates!

Now that you've gathered numerous findings, you can easily access them on the Cloud. Just log in to PDCP Cloud, and you'll see a scan created with your results.

For DAST OOB Template Engine Injection, we have written 14 templates covering the following :

  • Ruby: ERB, Erubi, Erubis
  • Python: Jinja2, Mako, Bottle, Tornado, Chameleon
  • PHP: Smarty, Twig, Latte, Blade
  • Java: Freemarker, Velocity
  • JavaScript: EJS, Pub.js, Pug.js, Underscore.js
  • Others: Slim, Liquid, Cheetah, SAML, Dot.js

The dast directory in the Nuclei templates repository contains DAST
(Dynamic Application Security Testing) checks for identifying security vulnerabilities in web applications.

The setup and detailed payload examples used in this guide are inspired by the concepts outlined in the blog post "Template Engines Injection 101" by @0xAwali & Template Injection Playground by @hackmanit . This resource provides foundational insights into understanding and exploiting template engine vulnerabilities effectively.

Conclusion:

The Nuclei templates for DAST OOB Template Engine Injection offer excellent flexibility, enabling users to craft custom checks tailored to their specific environment and security needs. This approach helps in identifying and exploiting out-of-band injection vulnerabilities, facilitating the detection of template engine misconfigurations.

You can also join our Discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you, once again!

By leveraging Nuclei and actively engaging with the open-source community, or by becoming a part of the ProjectDiscovery Cloud Platform, companies can enhance their security measures, proactively address emerging threats, and establish a more secure digital landscape. Security represents a shared endeavor, and by collaborating, we can consistently adapt and confront the ever-evolving challenges posed by cyber threats.


文章来源: https://projectdiscovery.io/blog/crafting-dast-nuclei-templates-for-oob-template-engines-injection-a-practical-guide
如有侵权请联系:admin#unsafe.sh