Merge pull request #230 from alp1n3-eth/main

Added Active SSTI Razor BCheck
PortSwigger · Sep 24, 2024 · 356ae33 · 356ae33
2 parents 26bdcc5 + 0873b66
commit 356ae33
Showing 1 changed file with 29 additions and 0 deletions.
diff --git a/vulnerability-classes/injection/SSTI-Razor.bcheck b/vulnerability-classes/injection/SSTI-Razor.bcheck
@@ -0,0 +1,29 @@
+metadata:
+    language: v2-beta
+    name: ".NET Razor SSTI Injection"
+    description: "Inserts a .NET Razor SSTI payload into each parameter to detect suspicious input evaluation"
+    author: "alp1n3.eth"
+    tags: "active", "injection", "template", "template injection", "scan", "ssti", "razor"
+    # reference 1: https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/
+    # reference 2: https://www.schtech.co.uk/razor-pages-ssti-rce/
+
+
+define:
+    calculation = "@(1337*1337)"
+    answer = "1787569"
+
+
+given query or body insertion point then
+    if not({answer} in {base.response}) then
+	    send payload:
+	        replacing: {calculation}
+
+        if {answer} in {latest.response} then
+            report issue:
+                severity: high
+                confidence: firm
+                detail: "The application evaluates input in a way that suggests it is vulnerable to ASP.NET Razor SSTI. This may potentially be escalated to achieving C# execution (RCE)."
+                remediation: "Manual investigation is advised. Do not build templates dynamically from user-controlled data."
+
+        end if
+    end if