Threat Research

“Server-Side Template Injection: Turning Web Applications from Assets into Liabilities”

Checkpoint

Server-Side Template Injection (SSTI) vulnerabilities allow attackers to inject malicious code into server-side templates, leading to arbitrary code execution, data theft, and potential server compromise. The article highlights rising SSTI CVEs, sector exposure (Retail/Wholesale, Finance/Banking), exploitation techniques like fuzzing and obfuscation, and mitigations including Check Point IPS. #SSTI #dnslog.cn

Keypoints

  • Definition: SSTI vulnerabilities occur when user input is improperly handled in web application template engines, enabling code injection.
  • Key Risks:
    • Arbitrary Code Execution: Full control over the server.
    • Data Theft: Access to sensitive information.
    • Reputation Damage: Erosion of customer trust and legal consequences.
  • Recent Trends: Notable increase in SSTI attacks, with high-profile platforms targeted.
  • Sector Vulnerability: Retail/Wholesale and Finance/Banking sectors are particularly affected due to high transaction volumes and sensitive data.
  • Exploitation Techniques: Attackers use methods like fuzzing, blind SSTI, and obfuscation to exploit vulnerabilities.
  • Advanced Attacks: SSTI can be used for cryptojacking, leveraging compromised servers for mining cryptocurrency.
  • Protection Measures: Organizations should implement robust security practices and utilize tools like Check Point’s IPS to mitigate risks.

MITRE Techniques

  • [T1203] Execution – Attackers can execute arbitrary commands on the server through SSTI vulnerabilities. ‘Attackers can execute arbitrary commands on the server through SSTI vulnerabilities.’
  • [T1547] Persistence – Using SSTI to establish persistence through malicious scripts or payloads. ‘Using SSTI to establish persistence through malicious scripts or payloads.’
  • [T1003] Credential Access – Accessing sensitive data, including user credentials, through SSTI exploits. ‘Accessing sensitive data, including user credentials, through SSTI exploits.’
  • [T1041] Exfiltration – Extracting sensitive information from compromised servers using SSTI. ‘Extracting sensitive information from compromised servers using SSTI.’

Indicators of Compromise

  • [Domain] DNS callback domains – dnslog.cn, and an Interactsh-generated subdomain for DNS-based interactions
  • [Domain] Cryptocurrency mining domain – c3pool.org
  • [File] Malicious dropper files – 0dzFrRzQ.sh, wi.txt

Read more: https://research.checkpoint.com/2024/server-side-template-injection-transforming-web-applications-from-assets-to-liabilities/