SSTI(Server Side Template Injection)

[thar...@obc.co.jp]

Hello.

I'm trying to diagnose if our web app is vulnerable to SSTI.

We developed the app with ASP.NET Razor.

Are the zap alerts,｢90035 Server Side Template Injection｣ and ｢90036 Server Side Template Injection(Blind)｣, targeting ASP.NET Razor for diagnosis?

[psiinon]

Hiya,

We test ZAP against https://github.com/DiogoMRSilva/websitesVulnerableToSSTI and publish the results here: https://www.zaproxy.org/docs/scans/ssti/

All of the relevant rules are linked off that page and those alerts link to the source code.

I'm not aware of any of the specifically targeting ASP.NET Razor but I'll ping Diogo to see if he knows if they are likely to work against it anyway.

In the meantime try all of those rules against your app and let us know if they find anything :)

Cheers,

Simon

[Diogo Silva]

Hi,

From a quick look into the razor templating the scanner will not be able to find vulns, but I think it is easy to make it work. To do it it would be nice to have an example of a vulnerable page.

Do you mind making a simple web page and submit it to my repo(https://github.com/DiogoMRSilva/websitesVulnerableToSSTI)? I can make it but it might take some time.

Diogo

[thar...@obc.co.jp]

Hi, everyone.

I know a great blog that describes Razor's SSTI vulnerability.

It is below.

https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/

But I don't know how to submit the code to Dingo's repository.

Also, unfortunately I have never used docker.

Regards,

tharamoto

2022年4月27日水曜日 17:45:27 UTC+9 diogo...@gmail.com: