← Back to Explore
sigmahighHunting
Server Side Template Injection Strings
Detects SSTI attempts sent via GET requests in access logs
Detection Query
select_method:
cs-method: GET
keywords:
- ={{
- =%7B%7B
- =${
- =$%7B
- =<%=
- =%3C%25=
- =@(
- freemarker.template.utility.Execute
- .getClass().forName('javax.script.ScriptEngineManager')
- T(org.apache.commons.io.IOUtils)
filter:
sc-status: 404
condition: select_method and keywords and not filter
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-06-14
Data Sources
webserver
References
Tags
attack.defense-evasionattack.t1221
Raw Content
title: Server Side Template Injection Strings
id: ada3bc4f-f0fd-42b9-ba91-e105e8af7342
status: test
description: Detects SSTI attempts sent via GET requests in access logs
references:
- https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
- https://github.com/payloadbox/ssti-payloads
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-14
tags:
- attack.defense-evasion
- attack.t1221
logsource:
category: webserver
detection:
select_method:
cs-method: 'GET'
keywords:
- '={{'
- '=%7B%7B'
- '=${'
- '=$%7B'
- '=<%='
- '=%3C%25='
- '=@('
- 'freemarker.template.utility.Execute'
- .getClass().forName('javax.script.ScriptEngineManager')
- 'T(org.apache.commons.io.IOUtils)'
filter:
sc-status: 404
condition: select_method and keywords and not filter
falsepositives:
- User searches in search boxes of the respective website
- Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
level: high