Server-Side Template Injection

Server-Side Template Injection (SSTI) is a vulnerability that occurs when an attacker is able to inject malicious code into a server-side template. This type of attack targets web applications that utilize server-side templating engines, such as PHP, Ruby, or Python frameworks. By exploiting SSTI, an attacker can manipulate the server-side templates to execute arbitrary code on the server, potentially leading to unauthorized access, data leakage, or even remote code execution.

Payloads

${{<%[%'"}}%\.
{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
*{7*7}

References

PayloadsAllTheThings/Server Side Template Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub

PreviousNoSQL Injection NextSQL Injection

Last updated 7 months ago