Server Side Template Injection Strings
Detects SSTI attempts sent via GET requests in access logs
Sigma rule (View on GitHub)
1title: Server Side Template Injection Strings
2id: ada3bc4f-f0fd-42b9-ba91-e105e8af7342
3status: test
4description: Detects SSTI attempts sent via GET requests in access logs
5references:
6 - https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
7 - https://github.com/payloadbox/ssti-payloads
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/06/14
10tags:
11 - attack.defense_evasion
12 - attack.t1221
13logsource:
14 category: webserver
15detection:
16 select_method:
17 cs-method: 'GET'
18 keywords:
19 - '={{'
20 - '=%7B%7B'
21 - '=${'
22 - '=$%7B'
23 - '=<%='
24 - '=%3C%25='
25 - '=@('
26 - 'freemarker.template.utility.Execute'
27 - .getClass().forName('javax.script.ScriptEngineManager')
28 - 'T(org.apache.commons.io.IOUtils)'
29 filter:
30 sc-status: 404
31 condition: select_method and keywords and not filter
32falsepositives:
33 - User searches in search boxes of the respective website
34 - Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
35level: high
References
-
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the missi...
Read More -
🎯 Server Side Template Injection Payloads. Contribute to payloadbox/ssti-payloads development by creating an account on GitHub.
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Created And Deleted Within A Close Time Frame
- Account Tampering - Suspicious Failed Logon Reasons