${talk.name}: An Introduction to Template Injection

Presented at ToorCamp 2022, July 14, 2022, 3 p.m. (50 minutes).

In this talk, I'll begin by explaining what templating engines are, what need they serve, and detail where templates are generally used. I'll then discuss how bugs in these systems can arise, how they can be detected as an attacker, and how they can be exploited. I'll also discuss significant examples of template injection bugs, such as Log4Shell, and talk about how they were exploited and fixed.

Software is always changing, and new technology means new bugs. Modern web frameworks and technologies may be more resistant to classic bugs such as XSS and command injection, but templating engines open a new world of attack surface. Template injection bugs are often overlooked, but often lead to very serious vulnerabilities that are simple to exploit. In this talk, I'll map out the landscape of templating engines, explain why template injection bugs occur, and talk about how they can be identified and exploited.

Presenters:

• Dylan Katz
  Dylan is a Technical Lead at Leviathan Security Group. Previously he's worked in defensive security, and as a software engineer. He's engaged with the security community for several years, largely through open source contributions and research. Through these roles, he's worked extensively with a broad variety of web application technologies and languages, both for building, and breaking software.

Links:

• https://talks.toorcon.net/toorcamp-2020-2019/talk/9QCFRT/

Similar Presentations:

• REcon Brussels 2017 / Your Chakra Is Not Aligned
• Black Hat USA 2015 / Server-Side Template Injection: RCE for the Modern Web App
• Red Team Summit 2019 / Docx Remote Template Injection