Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Server Side Template Injection Strings

Detects SSTI attempts sent via GET requests in access logs

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Jun 14ada3bc4f-f0fd-42b9-ba91-e105e8af7342web
Log Source
Web Server Log
CategoryWeb Server Log← raw: webserver

HTTP access logs from web servers capturing request paths, methods, and status codes.

Detection Logic
Detection Logic3 selectors
detection:
    select_method:
        cs-method: 'GET'
    keywords:
        - '={{'
        - '=%7B%7B'
        - '=${'
        - '=$%7B'
        - '=<%='
        - '=%3C%25='
        - '=@('
        - 'freemarker.template.utility.Execute'
        - .getClass().forName('javax.script.ScriptEngineManager')
        - 'T(org.apache.commons.io.IOUtils)'
    filter:
        sc-status: 404
    condition: select_method and keywords and not filter
False Positives

User searches in search boxes of the respective website

Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes

References
1
Resolving title…
book.hacktricks.xyz
2
Resolving title…
github.com
MITRE ATT&CK

Other

attack.t1221
Rule Metadata
Rule ID
ada3bc4f-f0fd-42b9-ba91-e105e8af7342
Status
test
Level
high
Type
Detection
Created
Tue Jun 14
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/web/webserver_generic/web_ssti_in_access_logs.yml
Raw Tags
attack.defense-evasionattack.t1221
View on GitHub