TInjA: CLI tool for testing web pages for template injection vulnerabilities

by ddos ·

TInjA – the Template INJection Analyzer

TInjA is a CLI tool for testing web pages for template injection vulnerabilities.

It supports 44 of the most relevant template engines (as of September 2023) for eight different programming languages.

Features

  • Automatic detection of template injection possibilities and identification of the template engine in use.
    • 44 of the most relevant template engines are supported.
    • Both SSTI and CSTI vulnerabilities are detected.
      • SSTI = server-side template injection
      • CSTI = client-side template injection
  • Efficient scanning thanks to the usage of polyglots:
    • On average only five polyglots are sent to the web page until the template injection possibility is detected and the template engine identified.
  • Pass crawled URLs to TInjA in JSONL format.
  • Pass a raw HTTP request to TInjA.
  • Set custom headers, cookies, POST parameters, and query parameters.
  • Route the traffic through a proxy (e.g., Burp Suite).
  • Configure Ratelimiting.

Supported Template Engines

.NET

  • DotLiquid
  • Fluid
  • Razor Engine
  • Scriban

Elixir

  • EEx

Go

  • html/template
  • text/template

Java

  • Freemarker
  • Groovy
  • Thymeleaf
  • Velocity

JavaScript

  • Angular.js
  • Dot
  • EJS
  • Eta
  • Handlebars
  • Hogan.js
  • Mustache
  • Nunjucks
  • Pug
  • Twig.js
  • Underscore
  • Velocity.js
  • Vue.js

PHP

  • Blade
  • Latte
  • Mustache.php
  • Smarty
  • Twig

Python

  • Chameleon
  • Cheetah3
  • Django
  • Jinja2
  • Mako
  • Pystache
  • SimpleTemplate Engine
  • Tornado

Ruby

  • ERB
  • Erubi
  • Erubis
  • Haml
  • Liquid
  • Mustache
  • Slim

Use

  • Scan a single URL: tinja url -u "http://example.com/"
  • Scan multiple URLs: tinja url -u "http://example.com/" -u "http://example.com/path2"
  • Scan URLs provided in a file: tinja url -u "file:/path/to/file"
  • Scan a single URL by passing a file with a raw HTTP request: tinja raw -R "/path/to/file"
  • Scan URLs with additional information provided in a JSONL file: tinja jsonl -j "/path/to/file"
    • Each line of the JSONL file must contain a single JSON object. The whole JSON object must be in one line. Each object must have the following structure (extra line breaks and indentation are for display purposes only):
      {
      "request":{
          "method":"POST",
          "endpoint":"http://example.com/path",
          "body":"name=Kirlia",
          "headers":{
              "Content-Type":"application/x-www-form-urlencoded"
          }
      }

Specify Headers, Cookies, and POST Body

  • --header/-H specifies headers which shall be added to the request.
    • Example: tinja url -u "http://example.com/" -H "Authentication: Bearer ey..."
  • --cookie/-c specifies cookies which shall be added to the request.
    • Example: tinja url -u "http://example.com/" -c "PHPSESSID=ABC123..."
  • --data/-d specifies the POST body which shall be added to the request.
    • Example: tinja url -u "http://example.com/" -d "username=Kirlia&password=notguessable"

Scan CSTI in Addition to SSTI

  • --csti enables the scanning for CSTI.
    • Example: tinja url -u "http://example.com/" --csti

By default TInjA only scans for SSTI. A headless browser is utilized for scanning for CSTI, which may increase RAM and CPU usage.

Generate a JSONL Report

  • --reportpath enables generating a report in JSONL format. The report will be updated after each scanned URL and will be stored at the provided path.
    • Example: tinja url -u "http://example.com/" --reportpath "/home/user/Documents"

Use a Proxy

  • --proxyurl specifies the URL and port of a proxy to be used for scanning.
    • Example: tinja url -u "http://example.com/" --proxyurl "http://127.0.0.1:8080"
  • --proxycertpath specifies the CA certificate of the proxy in PEM format (needed when scanning HTTPS URLs).
    • Example tinja url -u "http://example.com/" --proxyurl "http://127.0.0.1:8080" --proxycertpath "/home/user/Documents/cacert.pem"

To scan HTTPS URLs using a proxy a CA certificate of the proxy in PEM format is needed. Burp Suite CA certificates are provided in DER format, for example. To convert them, the following command can be used:

openssl x509 -inform DER -outform PEM -text -in cacert.der -out cacert.pem

Set a Ratelimit

  • --ratelimit/-r specifies the number of maximum requests per second allowed. By default, this number is unrestricted.
    • Example: tinja url -u "http://example.com/" --ratelimit 10

Install

Copyright (C) 2023 Hackmanit and Maximilian Hildebrand.

Tags: template injection vulnerabilities