Simple inputs can conceal an {expansive} attack surface. Feature-rich web applications often embed user input in web templates in an attempt to offer flexible functionality and developer shortcuts, creating a vulnerability easily mistaken for XSS. In this presentation, I'll discuss techniques to recognize template injection, then show how to take template engines on a journey deeply orthogonal to their intended purpose and ultimately gain arbitrary code execution. I'll show this technique being applied to craft exploits that hijack four popular template engines, then demonstrate RCE zero-days on two corporate web applications.
This presentation will also cover techniques for automated detection of template injection, and exploiting subtle, application-specific vulnerabilities that can arise in otherwise secure template systems.
James Kettle is head of research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on design of the new Burp Collaborator system for identifying and exploiting SSRF, asynchronous blind code injection and out-of-band attack delivery. James has extensive experience vulnerability bounty hunting across Mozilla's and Google's heavily secured infrastructure, resulting in being ranked 6th in Google's 0x0A list for 2012/13. As part of this he has performed security research culminating in novel attack techniques, such as abusing the HTTP Host header to poison password reset emails and server-side caches, affecting numerous ubiquitous web frameworks including Django, Drupal, Symfony and Joomla. Other contributions to the field include 'formula injection' -tricking websites' CSV export functionality into delivering spreadsheet software zerodays and exploiting ill-defined trust boundaries.