Enumeration Steps

This vulnerability can be found in email templates, blogs, forums, comments, wikis

*pay extra attention when evaluting these functionalities in a web application*

• Whenever you come across these frameworks, consider testing the application for SSTI

  • Frameworks:
    • Flask
    • Django
    • NodeJs
    • JavaNinja
    • Twig
    • FreeMaker

• Identify the application’s built-in language and the running template engine.

• Identify injectable user-controlled inputs in GET and POST requests.

  • GET requests:
    • /pageName Ex: <http://example.com/{{7*7}>}
    • exposed parameters Ex: <http://example.com/home?name={{7*7}>}
  • POST requests:
    • parameters in POST requests body

• Fuzz the application with special characters ${{<%[%'"}}%\\. Observe which ones get interpreted by the server and which ones raise errors.

• Insert basic template injection payloads in all user inputs, and observe if the application engine evaluates them.

Basic Payload

${{7*7}}

${7*7}

<%= 7*7 %>

#{7*7}

*{{‘7’7}}

.{{7*7}}

*If the application calculates the numbers, it means it is vulnerable*

Flask Template Engine Commands

Reading Files