From c3ebe2b96f7f181ad4e784fa0c417f93539f1971 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?alp1n3=20=F0=9F=8C=B2?=
 <59985265+alp1n3-eth@users.noreply.github.com>
Date: Fri, 20 Sep 2024 13:12:14 -0400
Subject: [PATCH] Active SSTI Razor Check

Checks for the evaluation of arithmetic in server-side template injection scenarios using Razor (ASP.NET).
---
 .../injection/SSTI-Razor.bcheck               | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 vulnerability-classes/injection/SSTI-Razor.bcheck

diff --git a/vulnerability-classes/injection/SSTI-Razor.bcheck b/vulnerability-classes/injection/SSTI-Razor.bcheck
new file mode 100644
index 0000000..bd08a45
--- /dev/null
+++ b/vulnerability-classes/injection/SSTI-Razor.bcheck
@@ -0,0 +1,27 @@
+metadata:
+    language: v2-beta
+    name: ".NET Razor SSTI Injection"
+    description: "Inserts a .NET Razor SSTI payload into each parameter to detect suspicious input evaluation"
+    author: "alp1n3.eth"
+    tags: "active", "injection", "template", "template injection", "scan", "ssti", "razor"
+# reference 1: https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP
+# reference 2: https://www.schtech.co.uk/razor-pages-ssti-rce/
+
+
+define:
+    calculation = "@(1337*1337)"
+    answer = "1787569"
+
+
+given query or body insertion point then
+    send payload:
+        replacing: {calculation}
+
+    if {answer} in {latest.response} then
+        report issue:
+            severity: high
+            confidence: firm
+            detail: "The application evaluates input in a way that suggests it is vulnerable to ASP.NET Razor SSTI. This may potentially be escalated to achieving C# execution (RCE)."
+            remediation: "Manual investigation is advised. Do not build templates dynamically from user-controlled data."
+
+    end if
\ No newline at end of file