Active SSTI Razor Check

Checks for the evaluation of arithmetic in server-side template injection scenarios using Razor (ASP.NET).
PortSwigger · Sep 20, 2024 · c3ebe2b · c3ebe2b
1 parent 26bdcc5
commit c3ebe2b
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/vulnerability-classes/injection/SSTI-Razor.bcheck b/vulnerability-classes/injection/SSTI-Razor.bcheck
@@ -0,0 +1,27 @@
+metadata:
+    language: v2-beta
+    name: ".NET Razor SSTI Injection"
+    description: "Inserts a .NET Razor SSTI payload into each parameter to detect suspicious input evaluation"
+    author: "alp1n3.eth"
+    tags: "active", "injection", "template", "template injection", "scan", "ssti", "razor"
+# reference 1: https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP
+# reference 2: https://www.schtech.co.uk/razor-pages-ssti-rce/
+
+
+define:
+    calculation = "@(1337*1337)"
+    answer = "1787569"
+
+
+given query or body insertion point then
+    send payload:
+        replacing: {calculation}
+
+    if {answer} in {latest.response} then
+        report issue:
+            severity: high
+            confidence: firm
+            detail: "The application evaluates input in a way that suggests it is vulnerable to ASP.NET Razor SSTI. This may potentially be escalated to achieving C# execution (RCE)."
+            remediation: "Manual investigation is advised. Do not build templates dynamically from user-controlled data."
+
+    end if