The Hacker Recipes
GitHubTwitterDonate
Search…
Introduction
Active Directory
Reconnaissance
Movement
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
User inputs
🛠️ File inclusion
SQL injection
XSS (Cross-Site Scripting)
Unrestricted file upload
CSRF (Cross-Site Request Forgery)
🛠️ HTTP parameter pollution
IDOR (Insecure Direct Object Reference)
Open redirect
Insecure JSON Web Tokens
Insecure Cookies
🛠️ SSTI (Server-Side Template Injection)
🛠️ Insecure deserialization
SSRF (Server-Side Request Forgery)
XXE injection
🛠️ CRLF injection
HTTP response splitting
🛠️ Arbitrary file download
🛠️ Directory traversal
🛠️ Null-byte injection
🛠️ Content-type juggling
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
🛠️ Physical
Locks
Networking
Machines
Super secret zones
🛠️ Intelligence gathering
CYBINT
OSINT
GEOINT
🛠️ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
🛠️ binary exploitation
Use-after-free
Buffer overflow
🛠️ mobile apps
Android
iOS
Powered By GitBook
🛠️ SSTI (Server-Side Template Injection)

Theory

Some web applications rely on template engines to offer dynamic content. When user inputs are embedded in templates, without proper sensitization, the web apps can be vulnerable to SSTIs (Server-Side Template Injections). This is a critical vulnerability that can sometimes lead to Sensitive Information Disclosure, Local File Disclosure and even RCE (Remote Code Execution).

🛠️ Practice

Testers need to identify input vectors (parts of the app that accept content from the users) that might be embedded in templates.
The following payload is used for testing SQL injections, XSS (Cross-Site Scripting) and SSTI (Server-Side Template Injection). The {{7*7}} should be interpreted and changed to 49 by Jinja2 and Twig engines.
1
'"<svg/onload=prompt(5);>{{7*7}}
Copied!
The following injection methodology can be used to identify the template engine. Is the content modified?
Depending on the template engine in use, testers will be able to fully exploit the SSTI vulnerability.
Many template engines offer a sandboxed mode for intentional template injection (to offer rich functionalities). A server-side template injection can sometimes be a feature and not a vulnerability.
🛠️ Add some examples ?

Examples

SSTI in jinja2 templates

References

PayloadsAllTheThings/Server Side Template Injection at master · swisskyrepo/PayloadsAllTheThings
GitHub
Server-Side Template Injection
PortSwigger Research
Previous
Insecure Cookies
Next
🛠️ Insecure deserialization
Last modified 5mo ago
Copy link
Edit on GitHub
Contents
Theory
🛠️ Practice
Examples
SSTI in jinja2 templates
References