# SSTI

## Detection

***

Use a POLYGLOT payload which is composed of special characters commonly used in template engine to fuzz the template.

{% hint style="info" %}
${{<%\[%'"}}%\\
{% endhint %}

However, just looking at missing characters doesn't guarantee SSTI vuln, to confirm if the vulnerability, use mathematical or variable leakage payloads.

{% hint style="info" %}
{{ 7\*7 }} , ${ 7\*7 }

{{ self }} , ${request}
{% endhint %}

If there is vulnerability , an error message will return or an exception which could contain the template engine like this:

<figure><img src="/files/rZIlWJqfId0XfcTRr8UP" alt=""><figcaption><p>Twig being used as template engine</p></figcaption></figure>

There could be any template engine which can be easily seen in the error.

Didn't get the Error? But you still have doubts?

Try these expressions in user input, URL parameter or any user-controllable field:

> \=${7\**3}*
> \
> *={{7\**&#x33;}}
> \
> \=<%= 7\*3 %>

If you get anything back follow along.

### Exploitation

***

Follow the tree to find out which payload is gonna work:

<figure><img src="/files/jAprfEiZL6G0sRgo22yW" alt=""><figcaption><p>Payload tree</p></figcaption></figure>

It should return mathematical result like 7\*7 = 49 or '7'\*7 = 7777777 based on what payload you are entering. This confirms the vulnerability.

Enumerate the Template Engine -&#x20;

Based on the successful response you can determine which template engine is being used like you show above in the error image. This step is critical because different template engines have different syntax.

As mentioned in the Tree, it can be

* Twig
* Jinja2
* Mako
* Freemarker
* Velocity&#x20;

and many more, Find out which one is it and go for the payload.

For payload go for this repo : <https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection>

## What is SSTI?

***

SSTI is a security vulnerability (obviously)  that happens when an attacker/hacker inject a payload/malicious syntax embedded in template in user input, URL parameter or any user controllable field (basically a server-side template engine) which gets executed as code instead of a simple text.&#x20;

## Why does SSTI happen?

***

It happens due to unsanitized user input being directly passed or processes into a template engine. If the template engine interprets the input as a code instead of just a text, an attacker can manipulate it to execute commands which can lead to RCE.

The impact could be critical here if the template engine allow code execution.

## Where does SSTI occur?

***

SSTI usually happens in web applications that use template engines to render dynamic content, it could be any type of user controllable field.

## How to Prevent SSTI?

***

1. Use safe templating functions - Instead of rendering raw user input, use safe template rendering methods.
2. Some template engines allow executing system commands by default - Disable these features before deploying.
3. Sanitize user input before passing it into a template - Input validation.
4. Use Web Application Firewall (WAF) to detect and block SSTI payloads before they reach the server.
5. Before patching/deploying, test your own app by injecting SSTI yourself, if there is a response which is revealing something - something then bro you haven't patch it successfully, Try again.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kaizoku.gitbook.io/notes/web-vulnerabilities/ssti.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.