Server Side Template Injection Strings
Detects SSTI attempts sent via GET requests in access logs
Sigma rule (View on GitHub)
1title: Server Side Template Injection Strings
2id: ada3bc4f-f0fd-42b9-ba91-e105e8af7342
3status: test
4description: Detects SSTI attempts sent via GET requests in access logs
5references:
6 - https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
7 - https://github.com/payloadbox/ssti-payloads
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/06/14
10tags:
11 - attack.defense_evasion
12 - attack.t1221
13logsource:
14 category: webserver
15detection:
16 select_method:
17 cs-method: 'GET'
18 keywords:
19 - '={{'
20 - '=%7B%7B'
21 - '=${'
22 - '=$%7B'
23 - '=<%='
24 - '=%3C%25='
25 - '=@('
26 - 'freemarker.template.utility.Execute'
27 - .getClass().forName('javax.script.ScriptEngineManager')
28 - 'T(org.apache.commons.io.IOUtils)'
29 filter:
30 sc-status: 404
31 condition: select_method and keywords and not filter
32falsepositives:
33 - User searches in search boxes of the respective website
34 - Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
35level: high
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Created And Deleted Within A Close Time Frame
- Account Tampering - Suspicious Failed Logon Reasons