Mainstream Web template Security Vulnerabilities cause sandbox to be broken by malicious users

Mainstream Web template Security Vulnerabilities cause sandbox to be broken by malicious users

Escape: unlike Andy Dufresne, we do not want to let real malicious people out of control.

Security researchers warned that a new type of high-risk network security vulnerability has emerged, and it has the terrorism capability to cause various risks.

The template engine is widely used in Web applications to provide dynamic data through Web pages and emails. This technology also uses a server-side sandbox environment. However, most of the general practices allow non-trusted users to edit templates, which brings about a series of very serious security risks, which are not necessarily emphasized in the template System Instructions, web security enterprise PortSwigger warned.

This security vulnerability allows non-trusted users to enter information in the template. Attackers may exploit this vulnerability to inject malicious code to the server.

This type of security vulnerability-security researchers at PortSwigger called it "server-side template injection"-is different from cross-site scripting (XSS) injection for widely known Web security vulnerabilities, but the consequences are even more serious. PortSwigger explained in another white paper:

Unlike XSS, template injection attacks can be used to directly attack the Web server and usually contain Remote Code Execution (RCE ), each vulnerable application can be transformed into a fulcrum of potential malicious activity.

Template injection attacks are caused by developer errors and template internal exposure to provide rich functions, the latter case often appears in Wikipedia, blogs, marketing applications, and content management systems.

Intentional template injection is a common type of use cases. Most template engines provide a "sandbox" mechanism as a solution.

"This vulnerability has a common attribute and may affect any Web application that uses the template engine in a non-secure manner," Dafydd Stuttard, founder and CEO of PortSwigger Web Security, said in an interview. "We have found a large number of zero-day instances in real scenarios involving multiple common applications. The frequency of malicious exploitation of this security vulnerability is unclear, but we have discovered such cases many times. During the on-site demonstration, we can easily find the vulnerability exploitation that is happening ."

James Kettle, a researcher at PortSwigger, is responsible for disclosing the security vulnerability and the details of the strategy at the Black Hat Security Conference in Las Vegas.

This presentation will cover how to discover and exploit the vulnerability, including how to exploit the zero-day vulnerability in two widely used applications, to obtain the complete remote code execution capability. (The two applications mentioned here are Alfresco and XWiki Enterprise. They will be deployed locally in the demonstration to avoid violating legal provisions .)

PortSwigger will also release a white paper detailing all the details of the Security Vulnerabilities mentioned in this speech. This document includes security vulnerability concept verification in the five most popular template engines, and separation from the sandbox environment used to securely process templates submitted by users. According to this document (+ networkworldweixin), including FreeMarker, Velocity 6, Smarty, and Twig (often used in the same sandbox environment) various templated languages, including Jade, will also be cracked.

As the research conclusion of this document, PortSwigger explains why such security vulnerabilities have not been taken seriously for a long time.

"Only those who are interested in such malicious activities can identify template injection attacks, and their severity is often ignored before we invest a lot of resources to evaluate the template engine's security level," Kettle wrote. "This also explains why template injection attacks have not been taken seriously until recently, and we cannot determine the actual utilization frequency ."

The technical solutions used to prevent template injection attacks are not yet mature enough, said PortSwigger. The company plans to strengthen its vulnerability tracking Burp Suite Web Application Security tool so that it can detect such threats. However, PortSwigger's main work is still to highlight such neglected Web Security Vulnerability categories by research, rather than directly providing technical solutions for solving the problem.

"By recording this issue and releasing an automatic detection solution through Burp Suite, we hope to help you increase security awareness and significantly reduce the likelihood of this vulnerability," PortSwigger explained.