Server-Side Template Injection (SSTI)

Server-Side Template Injection (SSTI) occurs when user input is embedded in a template without proper sanitization. Template engines like Jinja2 (Python), Twig (PHP), or Velocity (Java) can then interpret malicious expressions as code.

from jinja2 import Template

def render_template(template, **context):
    t = Template(template)
    return t.render(**context)

template = input('Enter a template: ')
context = {'user': 'Alice'}
print(render_template(template, **context))

Malicious input:

{{7*7}}

Server evaluates and returns:

49

• Test placeholders: {{7*7}} for arithmetic confirmation.
• Find filters or functions: {{config.__class__.__mro__[1].__subclasses__()}}.