Basic server-side template injection


This lab is vulnerable to server-side template injection due to the unsafe construction of an ERB template.

Reproduction and proof of concept

  1. Notice that when you try to view more details about the first product, a GET request uses the message parameter to render “Unfortunately this product is out of stock” on the home page.

GET /?message=Unfortunately%20this%20product%20is%20out%20of%20stock HTTP/1.1
  1. In the ERB documentation, discover that the syntax <%= someExpression %> is used to evaluate an expression and render the result on the page.

  2. Use ERB template syntax to create a test payload containing a mathematical operation, for example:

<%= 7*7 %>
  1. URL-encode this payload and insert it as the value of the message parameter in the URL:<%25%3d+7*7+%25>
  1. Load the URL in your browser. Notice that in place of the message, the result of your mathematical operation is rendered on the page, in this case, the number 49. This indicates that we may have a server-side template injection vulnerability.

  2. From the Ruby documentation, discover the system() method, which can be used to execute arbitrary operating system commands.

  3. Construct a payload to delete Carlos’s file:

<%= system("rm /home/carlos/morale.txt") %>
  1. URL-encode the payload and insert it as the value of the message parameter:<%25+system("rm+/home/carlos/morale.txt")+%25>


An attacker will need to review the ERB documentation to find out how to execute arbitrary code, then delete the morale.txt file from Carlos’s home directory.