💻
OSWE Everything
💻
OSWE Everything
  • VULNERABILITIES
    • Type Juggling
    • Cross Site Scripting
      • Hunting for files
    • Insecure Deserialization
      • .NET
    • SQL Injection
      • Blind SQL Injection
      • SQLi debugging
      • Code review
      • Errors and additional information
      • Approaches to leverage different databases
    • XML External Entity (XXE)
      • Types of XML Entities
      • Exploitation
      • Wrappers for errors
      • Post Exploitation
    • OS Command Injection
      • Exploitation
    • Server Side Template Injection
      • Exploitation
    • Authentication Bypass
      • Checklist
  • Unsecure Random Function
    • Exploitation
  • Cross Origin Resource Sharing (CORS)
    • Prerequisites of Exploitation
  • Client Side Request Forgery (CSRF)
    • Prerequisites of Exploitation
  • Exploit Writing
    • Cheatsheet
    • Skeleton Scripts
  • Code review
    • Manual code review
      • Routing
      • Searching for exploits
      • Debugging
    • Decompilation
      • Java
      • .NET
    • Managing the application
      • Identifying application file location
      • Restarting web applications
      • Manipulation of Assembly Attributes for Debugging (.NET)
  • Preparation Machines
    • [HTB] Vault
    • Other HTB scripts
  • ADDITIONAL INFORMATION
    • Sources
  • External Resources
    • WhiteBox Pentest
Powered by GitBook
On this page
  • What are (Server Side) Template Engines
  • What is Template Injection
  • Video Explaination
  • How to find it?
  1. VULNERABILITIES

Server Side Template Injection

What are (Server Side) Template Engines

Template engines are tools used to generate HTML or other markup languages by combining templates with dynamiclly data.

For example:

<!-- SERVER SIDE !>
<html>
    <h1>{{7*7}}</h1>
</html>

Renders as:

<!-- CLIENT SIDE !>
<html>
    <h1>49</h1>
</html>

They allow developers to create dynamic web pages by separating the presentation layer (HTML) from the logic (code). This makes it easier to manage and reuse code, especially when displaying data from databases or APIs. Popular examples include Jinja2, EJS, and Handlebars.

What is Template Injection

If a page allows users to input data into the server, and the server then displays this data in the web application, the system must ensure that the input is not interpreted as a template tag.

Not vulnerable

User input:

{{ 7*7 }}

Application Reflects:

{{ 7*7 }}

If the application does not sanatize the input in the correct way it can be prone to Server Side Template Injection (SSTI):

Vulnerable

User input:

{{ 7*7 }}

Application Reflects:

49

Video Explaination

How to find it?

Tip: Search for Template Tnjection in places where input is not propertly sanatized e.g. in places where Cross Site Scripting vulnerability is confirmed

Finding Template Injection vulnerabiliities usually is not very complicated. The input which we should use depends on the used templating engine used in the web application.

PreviousExploitationNextExploitation

Last updated 2 months ago

In order to fit the payload to the engine type you should access this web page:

https://hacktricks.boitatech.com.br/pentesting-web/ssti-server-side-template-injection#exploits