Template Injection


Description

The application is vulnerable to template injection. Template injection results when user input is dynamically inserted into a client-side or server-side template. Client-side template injection can be used to bypass sandbox controls and launch cross-site scripting attacks again users. Server-side template injection allows attacks against backend servers including the possibility of remote code execution.

Impact

Template injection takes advantage of templating frameworks that insert user input into templates to create dynamic pages. An attacker can use template injection to launch attacks against users or the webserver. With client-side template injection, an attacker can execute arbitrary JavaScript in cross-site scripting attacks against users in order to steal credentials, hijack sessions, or redirect users to malicious sites. With server-side template injection, an attacker could obtain arbitrary remote code execution (RCE). Remote code execution allows an attacker to exfiltrate sensitive data from the server or set up a backdoor for shell access.

Risk Rating

Remediation

How To Test

Sample Report Screenshots

Time Saving Tips

Testing Gotchas

References

 

Subscribe here in order to gain access to the AppSec Findings Database

 

Leave a Reply