index

Server-Side Template Injection (SSTI)

Template injection allows an attacker to include template code into an existing (or not) template. A template engine makes designing HTML pages easier by using static template files which at runtime replaces variables/placeholders with actual values in the HTML pages.

Methodology

Identify the Vulnerable Input Field

The attacker first locates an input field, URL parameter, or any user-controllable part of the application that is passed into a server-side template without proper sanitization or escaping.

For example, the attacker might identify a web form, search bar, or template preview functionality that seems to return results based on dynamic user input.

info

Generated PDF files, invoices and emails usually use a template.

Inject Template Syntax

The attacker tests the identified input field by injecting template syntax specific to the template engine in use. Different web frameworks use different template engines (e.g., Jinja2 for Python, Twig for PHP, or FreeMarker for Java).

Common template expressions:

{{7*7}} for Jinja2 (Python).
#{7*7} for Thymeleaf (Java).
etc...

TODO image

Polyglot Payload

In most cases, this polyglot payload will trigger an error in presence of a SSTI vulnerability:

${{<%[%'"}}%\.

Injection Table

We can use this URL For better injection polyglot payloads:

https://cheatsheet.hackmanit.de/template-injection-table/

Server-Side Template Injection (SSTI)​

Methodology​

Identify the Vulnerable Input Field​

Inject Template Syntax​

Polyglot Payload​

Injection Table​