SSTI

Server-Side Template Injection (SSTI) is a vulnerability that occurs when user input is directly inserted into the template engine of a web application. Common template engines include Smarty (PHP), Jinja2 (Python), and Pug (formerly known as Jade) for Node.js.

If an SSTI attack is successful, it can lead to Remote Code Execution (RCE), enabling attackers to escalate privileges and potentially achieve full compromise of the application.

LogoTryHackMe | Cyber Security TrainingTryHackMe

Tools

  1. tplmap

LogoGitHub - epinna/tplmap: Server-Side Template Injection and Code Injection Detection and Exploitation ToolGitHub

  1. TInjA

LogoGitHub - Hackmanit/TInjA: TInjA is a CLI tool for testing web pages for template injection vulnerabilities and supports 44 of the most relevant template engines for eight different programming languages.GitHub

  1. SSTImap

LogoGitHub - vladko312/SSTImap: Automatic SSTI detection tool with interactive interfaceGitHub

Payload list

  1. Swisskyrepo/PayloadAllTheThings

LogoPayloadsAllTheThings/Server Side Template Injection at master ยท swisskyrepo/PayloadsAllTheThingsGitHub

Practice rooms

  1. TryHackMe Injectics:

LogoGitBook

PreviousInjection attacksNextSQL injection

Last updated