Template injection definition
Template injection is a vulnerability in web applications that generate dynamic content with templates. Templates are often used in web development to separate the presentation logic from the business logic of an application. An attacker manipulates user-supplied input to inject malicious code into a template, which is then executed by the server-side rendering engine.
Developers use templates to define reusable layouts and placeholders for dynamic content. If the user input isn’t properly validated before it’s inserted into the template, attackers can abuse it via template injection.
Template injection vulnerabilities are found in various template engines or frameworks used in web applications. The specific syntax and techniques for exploiting template injection may vary depending on the targeted framework.
Dangers of template injection
- Remote code execution. An attacker can execute arbitrary code on the server, allowing them to control the application and potentially the underlying server.
- Information disclosure. An attacker can access sensitive information within the application or its environment by injecting template-specific code, such as database credentials or other users' data.
- Denial of service. An attacker can abuse template injection to consume excessive server resources, leading to a denial of service by overloading the server.