Server Side Template Injection

What are (Server Side) Template Engines

Template engines are tools used to generate HTML or other markup languages by combining templates with dynamiclly data.

For example:

<!-- SERVER SIDE !>
<html>
    <h1>{{7*7}}</h1>
</html>

Renders as:

<!-- CLIENT SIDE !>
<html>
    <h1>49</h1>
</html>

They allow developers to create dynamic web pages by separating the presentation layer (HTML) from the logic (code). This makes it easier to manage and reuse code, especially when displaying data from databases or APIs. Popular examples include Jinja2, EJS, and Handlebars.

What is Template Injection

If a page allows users to input data into the server, and the server then displays this data in the web application, the system must ensure that the input is not interpreted as a template tag.

Not vulnerable

User input:

{{ 7*7 }}

Application Reflects:

{{ 7*7 }}

If the application does not sanatize the input in the correct way it can be prone to Server Side Template Injection (SSTI):

Vulnerable

User input:

{{ 7*7 }}

Application Reflects:

49

Video Explaination

How to find it?

Tip: Search for Template Tnjection in places where input is not propertly sanatized e.g. in places where Cross Site Scripting vulnerability is confirmed

Finding Template Injection vulnerabiliities usually is not very complicated. The input which we should use depends on the used templating engine used in the web application.

In order to fit the payload to the engine type you should access this web page: https://hacktricks.boitatech.com.br/pentesting-web/ssti-server-side-template-injection#exploits