feat(934200): detect Server-Side Template Injection (SSTI) attacks#4600
Conversation
|
📊 Quantitative test results for language: |
|
Good PR |
|
@zoutjebot Thanks for the PR. Questions:
|
|
ping @zoutjebot |
- Add regex-assembly/934175.ra with documented pattern structure - Regenerate .conf via crs-toolchain (optimized character classes) - Add standard crs-toolchain header comment to rule block Addresses review feedback from fzipi on PR coreruleset#4600.
|
Thanks for the review, Felipe. Addressing each point: Difference between this rule and 934180: 934180 (PL2) matches This rule targets a narrower, higher-confidence pattern: it matches In short: 934180 catches broad template syntax at PL2, this rule catches template syntax with execution intent at PL1.
Rule ID: Will renumber to a multiple of 10. However, all PL1 slots from 934100 through 934170 are currently taken and 934180+ is PL2. Where would you like this placed? |
|
Thanks. It doesn't matter as rules aren't constrained to have an id smaller that the ones in PL2. So the next one free in the 934 is good. |
|
@zoutjebot Use 934200. |
- Add regex-assembly/934175.ra with documented pattern structure - Regenerate .conf via crs-toolchain (optimized character classes) - Add standard crs-toolchain header comment to rule block Addresses review feedback from fzipi on PR coreruleset#4600.
498c5ab to
05377bb
Compare
|
Done. Renumbered to 934200 — .ra file, .conf, and tests all updated. Rebased on latest main. |
|
@zoutjebot, rename the title from |
|
Updated the PR title. Thanks. |
|
already relunsec@relunsec:~$ curl https://sandbox.coreruleset.org/?q=%7B%7B7*7%7D%7D -H "X-Format-Output: txt-matched-rules" -H "x-crs-paranoia-level: 2"
941380 PL2 AngularJS client side template injection detected
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 5)
980170 PL? Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=0-5-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=5, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)
relunsec@relunsec:~$ and relunsec@relunsec:~$ curl https://sandbox.coreruleset.org/?q=%7B%7B\'\'.__class__%7D%7D -H "X-Format-Output: txt-matched-rules" -H "x-crs-paranoia-level: 2"
941380 PL2 AngularJS client side template injection detected
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 5)
980170 PL? Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=0-5-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=5, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)
relunsec@relunsec:~$ detected |
Add new rule 934175 to detect SSTI attacks in template engines at PL1.
Detects code execution indicators inside template syntax:
- Jinja2/Twig: {{7*7}}, {{''.__class__.__mro__}}
- Ruby ERB: <%= system('id') %>
- Expression Language: #{runtime.exec('id')}
The regex requires arithmetic (*), dunder access (__), or function
call syntax (( ) inside template delimiters to minimize false
positives from legitimate template usage.
Refs: coreruleset#4584
- Add regex-assembly/934175.ra with documented pattern structure - Regenerate .conf via crs-toolchain (optimized character classes) - Add standard crs-toolchain header comment to rule block Addresses review feedback from fzipi on PR coreruleset#4600.
- 6 positive tests: Jinja2/Twig (arithmetic, dunder), EL (function call,
arithmetic), ERB (arithmetic, system command)
- 3 negative tests: legitimate template variables ({{username}},
<%=title%>, #{name}) should not trigger
Fixes CI lint check: rule does not have any tests.
Per fzipi's review: rule IDs must be multiples of 10. fzipi confirmed 934200 as the next free ID in the 934 family. Renamed: - regex-assembly/934175.ra -> 934200.ra - tests/.../934175.yaml -> 934200.yaml - Updated rule id in .conf
05377bb to
c32323e
Compare
What
New PL1 rule detecting SSTI payloads in Jinja2, Twig, ERB, and Expression Language. Requires code execution indicators inside template delimiters.
Context
Part of CVE-derived payload research FN improvements. See tracking issue #4584 for full context.
Refs: #4584