Adversaries may attempt Server Side Template Injection by embedding malicious strings in GET requests, which can lead to remote code execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential web application vulnerabilities before they are exploited.
Detection Rule
title: Server Side Template Injection Strings
id: ada3bc4f-f0fd-42b9-ba91-e105e8af7342
status: test
description: Detects SSTI attempts sent via GET requests in access logs
references:
- https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
- https://github.com/payloadbox/ssti-payloads
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-14
tags:
- attack.defense-evasion
- attack.t1221
logsource:
category: webserver
detection:
select_method:
cs-method: 'GET'
keywords:
- '={{'
- '=%7B%7B'
- '=${'
- '=$%7B'
- '=<%='
- '=%3C%25='
- '=@('
- 'freemarker.template.utility.Execute'
- .getClass().forName('javax.script.ScriptEngineManager')
- 'T(org.apache.commons.io.IOUtils)'
filter:
sc-status: 404
condition: select_method and keywords and not filter
falsepositives:
- User searches in search boxes of the respective website
- Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
level: high
imWebSession
| where HttpRequestMethod =~ "GET" and ("={{" or "=%7B%7B" or "=${" or "=$%7B" or "=<%=" or "=%3C%25=" or "=@(" or "freemarker.template.utility.Execute" or ".getClass().forName('javax.script.ScriptEngineManager')" or "T(org.apache.commons.io.IOUtils)") and (not(HttpStatusCode == 404))Scenario: A system administrator uses a tool like curl or wget to test a legitimate API endpoint that includes template variables for debugging purposes.
Filter/Exclusion: Exclude requests containing known admin tools or user-agent strings associated with system administration (e.g., curl, wget, Postman).
Scenario: A scheduled job runs via cron or Task Scheduler to generate reports using a templating engine like Jinja2 or Freemarker, which includes dynamic variables in the request.
Filter/Exclusion: Exclude requests originating from system processes or with specific User-Agent headers indicating automated jobs (e.g., cron, systemd, Task Scheduler).
Scenario: A developer uses a tool like Postman or Insomnia to manually test a web application’s templating engine during development, including valid template syntax.
Filter/Exclusion: Exclude requests with User-Agent strings matching development tools (e.g., Postman, Insomnia, curl), or filter by IP addresses associated with development environments.
Scenario: A legitimate log aggregation tool like Fluentd or Logstash sends templated logs to a centralized logging system, including dynamic fields in the request.
Filter/Exclusion: Exclude requests from known log aggregation services or IP ranges associated with internal logging infrastructure.
Scenario: A CI/CD pipeline (e.g., Jenkins, GitLab CI) sends templated requests to a staging environment to validate template rendering, which may include valid template syntax.
Filter/Exclusion: Exclude requests from CI/CD IP ranges, user agents, or headers that identify automated pipeline traffic (e.g., Jenkins, GitLab, CircleCI).