coreruleset · fzipi · Apr 25, 2026 · Mar 30, 2026 · Apr 17, 2026 · Apr 17, 2026
diff --git a/regex-assembly/934200.ra b/regex-assembly/934200.ra
@@ -0,0 +1,38 @@
+##! Please refer to the documentation at
+##! https://coreruleset.org/docs/development/regex_assembly/.
+
+##! Detect Server-Side Template Injection (SSTI) attacks at PL1.
+##! Matches template delimiters only when they contain code execution
+##! indicators: arithmetic (*), dunder access (__), or function calls (().
+##! This is stricter than 934180 (PL2) which matches broad template syntax.
+
+##! Execution indicators: patterns that suggest code execution
+##! rather than simple variable interpolation.
+##!> define exec-indicators (?:\*|__|\()
+
+##! Jinja2/Twig: {{7*7}}, {{''.__class__}}, {{config.items()}}
+##!> assemble
+  \{\{[^}]*?
+  ##!=>
+  {{exec-indicators}}
+  ##!=>
+  [^}]*?\}\}
+##!<
+
+##! Expression Language: #{runtime.exec('id')}, #{7*7}
+##!> assemble
+  #\{[^}]*?
+  ##!=>
+  {{exec-indicators}}
+  ##!=>
+  [^}]*?\}
+##!<
+
+##! ERB/JSP: <%=7*7%>, <% system('id') %>
+##!> assemble
+  <%=?\s*[^%]*?
+  ##!=>
+  {{exec-indicators}}
+  ##!=>
+  [^%]*?%>
+##!<
diff --git a/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf b/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
@@ -273,6 +273,38 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|X
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
+#
+# Detects SSTI (Server-Side Template Injection) attacks at PL1.
+# Requires code execution indicators (arithmetic, dunder access, function calls)
+# inside template syntax to reduce false positives.
+# Examples: {{7*7}}, #{system('id')}, <%= 7*7 %>
+#
+# Regular expression generated from regex-assembly/934200.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 934200
+#
+SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\{\{[^\}]*?(?:[\(\*]|__)[^\}]*?\}|#\{[^\}]*?(?:[\(\*]|__)[^\}]*?)\}|<%=?[\s\x0b]*[^%]*?(?:[\(\*]|__)[^%]*?%>" \
+    "id:934200,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:urlDecodeUni,\
+    msg:'Server-Side Template Injection (SSTI) Attack',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'platform-multi',\
+    tag:'attack-ssti',\
+    tag:'attack-injection-generic',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-GENERIC',\
+    tag:'capec/1000/152/242',\
+    ver:'OWASP_CRS/4.26.0-dev',\
+    severity:'CRITICAL',\
+    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.26.0-dev',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.26.0-dev',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
 #

diff --git a/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934200.yaml b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934200.yaml
@@ -0,0 +1,151 @@
+---
+meta:
+  author: "zoutjebot"
+rule_id: 934200
+tests:
+  # === Positive tests (should trigger) ===
+  - test_id: 1
+    desc: "Jinja2/Twig SSTI - arithmetic in double curly braces"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "*/*"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: GET
+          port: 80
+          uri: "/get?x=%7b%7b7*7%7d%7d"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [934200]
+  - test_id: 2
+    desc: "Jinja2/Twig SSTI - dunder access in double curly braces"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "*/*"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: GET
+          port: 80
+          uri: "/get?x=%7b%7b%27%27.__class__.__mro__%7d%7d"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [934200]
+  - test_id: 3
+    desc: "Expression Language SSTI - function call in hash curly"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "*/*"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: GET
+          port: 80
+          uri: "/get?x=%23%7bruntime.exec(%27id%27)%7d"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [934200]
+  - test_id: 4
+    desc: "ERB SSTI - arithmetic in angle bracket percent"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "*/*"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: GET
+          port: 80
+          uri: "/get?x=%3c%25%3d7*7%25%3e"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [934200]
+  - test_id: 5
+    desc: "ERB SSTI - function call with system command"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "*/*"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: GET
+          port: 80
+          uri: "/get?x=%3c%25%20system(%27id%27)%20%25%3e"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [934200]
+  - test_id: 6
+    desc: "Expression Language SSTI - arithmetic in hash curly"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "*/*"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: GET
+          port: 80
+          uri: "/get?x=%23%7b7*7%7d"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [934200]
+  # === Negative tests (should NOT trigger) ===
+  - test_id: 7
+    desc: "Legitimate template variable - no execution indicators"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "*/*"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: GET
+          port: 80
+          uri: "/get?x=%7b%7busername%7d%7d"
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [934200]
+  - test_id: 8
+    desc: "Legitimate ERB output tag - simple variable"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "*/*"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: GET
+          port: 80
+          uri: "/get?x=%3c%25%3dtitle%25%3e"
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [934200]
+  - test_id: 9
+    desc: "Legitimate EL variable - no execution indicators"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "*/*"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: GET
+          port: 80
+          uri: "/get?x=%23%7bname%7d"
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [934200]