What is SSTI
SSTI stands for Server-Side Template Injection. It is a type of vulnerability that occurs when a web application allows user input to be embedded into a server-side template without proper validation or sanitization. This allows attackers to inject malicious code into the template, which the server processes and executes.
What SSTI can look like
# Direct Reference to the Template
http://vulnerable-website.com/?greeting=data.username
# Indirect Reference to the template (Inserted inside the HTML)
<%= 7*7 %>
{{7*7}}
{7*7}
...Keep in mind that SSTI often shares a similar attack vector with XSS. The key difference is that some websites implement restrictions against XSS but fail to properly sanitize inputs for SSTI, particularly when the application uses a framework susceptible to such attacks.****
Searching for SSTI
# Finding Input Field | Direct & Indirect References
---------------------------------------------------------------------------------
# Fuzzing to determine the template engine used
<%= 7*7 %>
{{7*7}}
{7*7}
...
---------------------------------------------------------------------------------
# Escalate your payload using the template engine script
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#tools
Search for documentation online for more details about the template if needed
*You might need to import some components during exploitation, ex: {% import os %}*
---------------------------------------------------------------------------------
# EXTRA
- Try prompting error messages
- Make sure if your testing for a template injection for example in a parameter to take in consideration the closing braket
ex: http://vulnerable-website.com/?greeting=data.username
ex: http://vulnerable-website.com/?greeting=data.username}}{{Payload