Django Templates Server-Side Template Injection v1.0

Long gone are days of static websites, nowadays sites need to be dynamic to be attractive and useful. One of the standard ways to generate dynamic content on the backend is using templates. Those come in many flavors of syntax and options allowing developers to write their static HTML code enriched by template-specific code to generate the dynamic parts that evaluate to clean HTML/JavaScript/CSS before being sent to a user. With the use of such languages, a new kind of injection vulnerability was introduced – server-side template injection or SSTI for short. 

Django

SSTI is caused by a developer passing untrusted user input into a template rendering engine allowing user to specify the template’s code. Depending on the template language in use, such vulnerability will have different security consequences ranging from minor information leaks to remote code execution. 

This article provides a summary of post-exploitation options when SSTI is discovered in a web application utilizing Django Templates1 (DT) from Django, a Python language web framework. We will provide a summary of documented and previously undocumented techniques to help better understand impact of SSTI in DT for both developers and security assessors. 

Download Django Templates Server-Side Template Injection v1.0 Whitepaper