Annual Computer Security Applications Conference (ACSAC) 2023

Template Engines: A Methodology for Assessing Server-Side Code Execution Vulnerabilities

ABSTRACT: Template engines are software tools that facilitate dynamic content generation for web pages or documents by allowing developers to define templates with placeholders, which are then filled with actual data when the template is processed, resulting in a customized and structured output. Despite the simplicity of Template Engines, inadequate usage or misconfiguration can lead to severe security vulnerabilities, such as Remote Code Execution (RCE). The severity of SSTI (Server-Side Template Injection) in real-world websites and frameworks is confirmed by both bug bounty reports (see HackerOne reports 125980 and 1104349 ) and CVEs (see CVE-2017-16783 and CVE-2020-26282). Considering the impact and prevalence of such security incidents it is essential to evaluate the most secure option tailored to the specific programming language or framework in use. For this reason, our case study introduces a comprehensive methodology for analyzing template engines to determine their susceptibility to RCE vulnerabilities. Additionally, this case study furnishes two prominent instances of Template Engine applications encountered in real-world settings. Firstly, it delves into web applications utilizing template engines for dynamic rendering of HTML pages, avoiding SSTI, in this case, is paramount. Secondly, the study turns attention to Content Management Systems (CMSs) and "Website as a Service" platforms. Using a template that allows RCE would be disastrous in this case. Leveraging our methodology, we present the findings from assessing popular template engines. The results demonstrate how critical applications can discern and adopt template engines based on their alignment with the application's security requirements.

BIOS: Lorenzo Pisu is a Ph.D. student at the University of Cagliari. His main research topic is web security, focusing on automatic vulnerability detection and discovery. Giorgio Giacinto is a Professor of Computer Engineering at the University of Cagliari, Italy, where he serves as the coordinator of the MSc degree in Computer Engineering, Cybersecurity and Artificial Intelligence.

Lorenzo Pisu
University of Cagliari

Giorgio Giacinto
University of Cagliari