Template Injection

What does this mean ?

Template injection is detected from a user controlled input, which may lead to executing code on the web server

What can happen ?

Attackers can execute malicious code on the web application and have remote code execution capabilities on the web server, which may lead to a complete compromise of the web server

Recommendation

Make sure the user input is being validated before accepting it on the server side

Sample Code

Ruby

Vulnerable :

<% ssl = @server.instance_variable_get(:@ssl_context) %><%= ssl.instance_variable_get(:@key) %>

References

• https://www.trustedsec.com/blog/rubyerb-template-injection