Server Side Template Injection Analyzer
Configuration Name: SstInjection
Description
Server Side Template Injection analyzer detects injection attack vulnerabilities in an API by issuing requests that contain template engine attack vectors. An application is vulnerable to injection attacks if it does not properly validate, filter, or sanitize input strings in a request. This can be exploited by an attacker by sending attack vectors in a request. OWASP classifies Injection as #8 in its API Security Top 10 (API8:2019).
Faults Reported
| Fault Identifier | Title | Summary | Solution | Severity |
|---|---|---|---|---|
| CWE-20 | Improper Input Validation | The application either does not validate input data or incorrectly validates that the input may be processed safely and correctly. | Application should sanitize inputs and respond with a client error for invalid input data. | medium |
| CWE-1336 | Improper Neutralization of Special Elements Used in a Template Engine | The application does not properly validate or sanitize input data that is used in a template expression that is processed by the application. | The application should sanitize inputs and respond with a client error for invalid input data. | medium |