CRS and SSTI with Velocity

39 views
Skip to first unread message

F

unread,
Apr 10, 2024, 11:33:23 AMApr 10
to ModSecurity Core Rule Set project
Hi

We found a Server Side Template Injection vulnerability within one of our applications. It seems that Apache Velocity engine is being used. 
Sample bad input used as a POST parameter:


Are there any CRS configs that would help to defend against such inputs?
Thank you

Max


Ervin Hegedüs

unread,
Apr 10, 2024, 11:44:40 AMApr 10
to F, ModSecurity Core Rule Set project
Hi Max,

On Wed, Apr 10, 2024 at 08:33:23AM -0700, F wrote:
> Hi
>
> We found a Server Side Template Injection vulnerability within one of our
> applications. It seems that Apache Velocity engine is being used.
> Sample bad input used as a POST parameter:
>

thanks for reporting.

First, I really hope this is a public PoC against the mentioned
bug/issue. Anyway, in these cases it would be fine to send this
kind of questions to secu...@coreruleset.org.

> Are there any CRS configs that would help to defend against such inputs?

I'm afraid actually there is no any solution. You can try that
with our Sandbox, eg.:

curl -v -X POST -d "q=$YOUR.MENTIONED.QUERY" -H "x-format-output: txt-matched-rules" "https://sandbox.coreruleset.org/"

For more information (try different versions/backends) see the
Sandbox's documenation:

https://coreruleset.org/2021/12/09/introducing-the-crs-sandbox/

If you want to explain the attack in details, please do it
through secu...@coreruleset.org.


Thanks!


a.

Reply all
Reply to author
Forward
0 new messages