Server-side Template Injection

Server-side Template Injection

In this section we introduce what server‑side template injection (SSTI) is, outline basic exploitation methods, and provide recommendations for avoiding this vulnerability.

What is Server-side Template Injection

SSTI occurs when an attacker injects malicious payloads into a template using the template’s own syntax, causing the payload to be executed on the server.

Template engines combine a static template with variable data to generate web pages. When user input is concatenated directly into the template instead of being passed as data, SSTI can occur, allowing an attacker to inject arbitrary template directives and potentially gain full control of the server. Because the payload is delivered and executed server‑side, SSTI can be more dangerous than client‑side template injection.

Potential Impact of SSTI

SSTI can expose a site to a range of attacks depending on the template engine and its usage. In most cases the impact is catastrophic.

The worst case is remote code execution, giving the attacker complete control of the backend server and the ability to launch further attacks on internal infrastructure.

Even without full RCE, SSTI often serves as a foothold for other attacks, granting access to sensitive data or arbitrary files on the server.

How SSTI Vulnerabilities Arise

They arise when user input is concatenated directly into a template rather than being supplied as data.

Static templates that only render placeholders are generally safe. For example, rendering a user’s first name in a Twig template is safe because the name is passed as data:

$output = $twig->render("Dear {first_name},", array("first_name" => $user.first_name) );

However, developers sometimes concatenate user input into the template itself:

$output = $twig->render("Dear " . $_GET['name']);

In this case the GET parameter becomes part of the template, allowing attacks such as:

http://vulnerable-website.com/?name={{bad-stuff-here}}

Such flaws often stem from developers unfamiliar with security concepts, similar to SQL injection.

Sometimes the behavior is intentional, e.g., allowing privileged users to edit custom templates, which dramatically raises the risk if an attacker compromises a privileged account.

Constructing an SSTI Attack

Identifying an SSTI vulnerability and planning an attack typically follows an abstract process.

Detection

SSTI bugs are often unnoticed because they are not complex; they become obvious only when an auditor looks for them. Simple fuzzing with common template delimiters such as

${<%[%'