Potential Server Side Template Injection In Velocity
Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.
Sigma rule (View on GitHub)
1title: Potential Server Side Template Injection In Velocity
2id: 16c86189-b556-4ee8-b4c7-7e350a195a4f
3status: test
4description: Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.
5references:
6 - https://antgarsil.github.io/posts/velocity/
7 - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
8author: Moti Harmats
9date: 2023/02/11
10tags:
11 - attack.initial_access
12 - attack.t1190
13logsource:
14 category: application
15 product: velocity
16 definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
17detection:
18 keywords:
19 - 'ParseErrorException'
20 - 'VelocityException'
21 - 'TemplateInitException'
22 condition: keywords
23falsepositives:
24 - Application bugs
25 - Missing .vm files
26level: high
References
-
-
IntroductionWhen doing application security at scale, you have to make peace with the fact that some issues may as well find their way into production. While we work hard to make sure this almost never happens, we understand that it’s just a fact of life that sometimes some things can slip into production without proper security controls.Photo by Mahdi Bafande on UnsplashThat’s why in addition to constantly “shifting left” our efforts and trying to secure all frameworks “by design”, one of the c
Read More
Related rules
- Potential CVE-2022-21587 Exploitation Attempt
- Potential CVE-2023-23752 Exploitation Attempt
- Potential JNDI Injection Exploitation In JVM Based Application
- Potential Local File Read Vulnerability In JVM Based Application
- Potential OGNL Injection Exploitation In JVM Based Application