TInjA: CLI tool for testing web pages for template injection vulnerabilities

TInjA – the Template INJection Analyzer

TInjA is a CLI tool for testing web pages for template injection vulnerabilities.

It supports 44 of the most relevant template engines (as of September 2023) for eight different programming languages.

Features

• Automatic detection of template injection possibilities and identification of the template engine in use.
  • 44 of the most relevant template engines are supported.
  • Both SSTI and CSTI vulnerabilities are detected.
    • SSTI = server-side template injection
    • CSTI = client-side template injection
• Efficient scanning thanks to the usage of polyglots:
  • On average only five polyglots are sent to the web page until the template injection possibility is detected and the template engine identified.
• Pass crawled URLs to TInjA in JSONL format.
• Pass a raw HTTP request to TInjA.
• Set custom headers, cookies, POST parameters, and query parameters.
• Route the traffic through a proxy (e.g., Burp Suite).
• Configure Ratelimiting.

Supported Template Engines

.NET

• DotLiquid
• Fluid
• Razor Engine
• Scriban

Elixir

• EEx

Go

• html/template
• text/template

Java

• Freemarker
• Groovy
• Thymeleaf
• Velocity

JavaScript

• Angular.js
• Dot
• EJS
• Eta
• Handlebars
• Hogan.js
• Mustache
• Nunjucks
• Pug
• Twig.js
• Underscore
• Velocity.js
• Vue.js

PHP

• Blade
• Latte
• Mustache.php
• Smarty
• Twig

Python

• Chameleon
• Cheetah3
• Django
• Jinja2
• Mako
• Pystache
• SimpleTemplate Engine
• Tornado

Ruby

• ERB
• Erubi
• Erubis
• Haml
• Liquid
• Mustache
• Slim

Use

• Scan a single URL: tinja url -u "http://example.com/"
• Scan multiple URLs: tinja url -u "http://example.com/" -u "http://example.com/path2"
• Scan URLs provided in a file: tinja url -u "file:/path/to/file"
• Scan a single URL by passing a file with a raw HTTP request: tinja raw -R "/path/to/file"
• Scan URLs with additional information provided in a JSONL file: tinja jsonl -j "/path/to/file"
  • Each line of the JSONL file must contain a single JSON object. The whole JSON object must be in one line. Each object must have the following structure (extra line breaks and indentation are for display purposes only):

    {
    "request":{
        "method":"POST",
        "endpoint":"http://example.com/path",
        "body":"name=Kirlia",
        "headers":{
            "Content-Type":"application/x-www-form-urlencoded"
        }
    }

Specify Headers, Cookies, and POST Body

• --header/-H specifies headers which shall be added to the request.
  • Example: tinja url -u "http://example.com/" -H "Authentication: Bearer ey..."
• --cookie/-c specifies cookies which shall be added to the request.
  • Example: tinja url -u "http://example.com/" -c "PHPSESSID=ABC123..."
• --data/-d specifies the POST body which shall be added to the request.
  • Example: tinja url -u "http://example.com/" -d "username=Kirlia&password=notguessable"

Scan CSTI in Addition to SSTI

• --csti enables the scanning for CSTI.
  • Example: tinja url -u "http://example.com/" --csti

By default TInjA only scans for SSTI. A headless browser is utilized for scanning for CSTI, which may increase RAM and CPU usage.

Generate a JSONL Report

• --reportpath enables generating a report in JSONL format. The report will be updated after each scanned URL and will be stored at the provided path.
  • Example: tinja url -u "http://example.com/" --reportpath "/home/user/Documents"

Use a Proxy

• --proxyurl specifies the URL and port of a proxy to be used for scanning.
  • Example: tinja url -u "http://example.com/" --proxyurl "http://127.0.0.1:8080"
• --proxycertpath specifies the CA certificate of the proxy in PEM format (needed when scanning HTTPS URLs).
  • Example tinja url -u "http://example.com/" --proxyurl "http://127.0.0.1:8080" --proxycertpath "/home/user/Documents/cacert.pem"

To scan HTTPS URLs using a proxy a CA certificate of the proxy in PEM format is needed. Burp Suite CA certificates are provided in DER format, for example. To convert them, the following command can be used:

openssl x509 -inform DER -outform PEM -text -in cacert.der -out cacert.pem

Set a Ratelimit

• --ratelimit/-r specifies the number of maximum requests per second allowed. By default, this number is unrestricted.
  • Example: tinja url -u "http://example.com/" --ratelimit 10

Install

Copyright (C) 2023 Hackmanit and Maximilian Hildebrand.