Server Side Template Injection (Pug)

  • PCI 3.2-6.5.1
  • CWE 94
  • CWE 95
  • CAPEC 23
  • OWASP 2013-A1

Server-side template injection occurs when user input is unsafely embedded into a server-side template, allowing users to inject template directives. Using malicious template directives, an attacker may execute arbitrary code and take full control of the web server.

Remediation

Avoid creating templates from user input. Instead pass user input to the template using template parameters.

References