ZAP – Server Side Template Injection

Details
Alert ID	90035
Alert Type	Active
Status	release
Risk	High
CWE	1336
WASC	20
Technologies Targeted	All
Tags	CWE-1336 OWASP_2017_A01 OWASP_2021_A03 WSTG-V42-INPV-18
More Info	Scan Rule Help

Summary

When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution.

Solution

Instead of inserting the user input in the template, use it as rendering argument.

Other Info

Proof found at [http://example.com/profile/?name=test] content: [<!DOCTYPE html> <html> <head> <title>Profile</title> </head> <body> <form action="/" method="post"> First name:<br> <input type="text" name="name" value=""> <input type="submit" value="Submit"> </form> <h2>Hello zj3790300zj</h2> </body> </html>Content-Type: text/html Date: Mon, 10 Jun 2024 12:33:36 GMT Connection: keep-alive Content-Length: 328 ]

References

https://portswigger.net/blog/server-side-template-injection

Code

org/zaproxy/zap/extension/ascanrules/SstiScanRule.java