Server Side Template Injection Strings
Detects SSTI attempts sent via GET requests in access logs
Sigma rule (View on GitHub)
1title: Server Side Template Injection Strings
2id: ada3bc4f-f0fd-42b9-ba91-e105e8af7342
3status: test
4description: Detects SSTI attempts sent via GET requests in access logs
5references:
6 - https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
7 - https://github.com/payloadbox/ssti-payloads
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022-06-14
10tags:
11 - attack.defense-evasion
12 - attack.t1221
13logsource:
14 category: webserver
15detection:
16 select_method:
17 cs-method: 'GET'
18 keywords:
19 - '={{'
20 - '=%7B%7B'
21 - '=${'
22 - '=$%7B'
23 - '=<%='
24 - '=%3C%25='
25 - '=@('
26 - 'freemarker.template.utility.Execute'
27 - .getClass().forName('javax.script.ScriptEngineManager')
28 - 'T(org.apache.commons.io.IOUtils)'
29 filter:
30 sc-status: 404
31 condition: select_method and keywords and not filter
32falsepositives:
33 - User searches in search boxes of the respective website
34 - Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
35level: high
References
-
RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for ...
Read More -
🎯 Server Side Template Injection Payloads. Contribute to payloadbox/ssti-payloads development by creating an account on GitHub.
Read More
Related rules
- Suspicious Set Value of MSDT in Registry (CVE-2022-30190)
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern