Please, provide all the details of the alert.

@thc202 I provided the context of the alert detection

We are after the full details of the alert.

@kingthorin OK, I added the full json report with request and response

Thanks that helps.

@kingthorin if you can delete the data and we share the information privately I appreciate.

No problem. Removed. I can store in a limited access location.

@kingthorin did you have the chance to look on the issue?

I think I might see an issue based on what you'd shared. I need to dig into the code.

@kingthorin Have you been able to identify the issue, or would you like more details?

Thanks for checking in. Unfortunately due to an injury I haven't been able to dig into it yet.

Oh, sorry to hear that, I hope you get better

Hey @kingthorin, sorry to hear about your injury. I hope you get feeling better soon! Also, congratulations on the Checkmarx move :)

I'm chiming in here with more data to help elucidate what I think is going on. With our clients, it appears that about 80% of the SSTI findings come from one particular check: the GoTemplateFormat.

The GoTemplateFormat checks for a concatenation of two numbers instead of a math operation like other template tests. It appears to generate FPs far more frequently due to how web apps tend to place input parameters into the page while filtering special characters. For example, here's the first 3 SSTI alerts I looked at from different sites:

Attack: zj{{print "6518" "7178"}}zj
Proof (from page): "is_analytics_enabled":"1","is_search":"1","is_id":"zjprint65187178zj","is_label":"","is_cat":"Results Found"}

Attack zj{{print "7996" "3057"}}zj
Proof (from page): <!DOCTYPE html> <html lang="zjprint79963057zj"> <head>

Attack zj{{print "2932" "1257"}}zj
Proof (from Location header): Location: https://example.com/web/index.php/component/search/?searchword=ZAP&ordering=newest&searchphrase=all&areas[0]=zjprint29321257zj&Itemid=224

The pattern is consistently that the attack parameter gets stripped of special characters and inserted into the page or URL. Since stripping the attack of special characters results in the concatenation of the two numbers, the test for concatenation doesn't differentiate between a correctly discovered evaluation of the attack parameter and an FP of the parameter getting cleaned and put back on the page without evaluation.

This definitely could be poor input parameter handling by the site, but I don't believe clears the threshold for SSTI.

I didn't dig into the history of the GoTemplateFormat to figure out why concatenation was used instead of multiplication like most of the others. Let me know if you want me to add the full software version info or help contribute in some way.

Thanks that's great. The details are highly appreciated ‼️ @rbliss

Fix is inbound, PR opened.

@tenaz3 & @rbliss thank you for providing great details. That really makes our lives easier as far as getting things fixed.

Took a look at the PR, looks great. Thanks a ton for all you do @kingthorin