How to do Server-side Template Injection

What is SSTI?

Server-Side Template Injection (SSTI) is a vulnerability that allows an attacker to inject malicious template code into a template engine, leading to Remote Code Execution (RCE) or even full system control. This vulnerability occurs when user input is embedded in a template in an unsafe manner.

SSTI Example

Here is a simple example of a SSTI attack:


             // User input
             {{7*7}}
     
             // Server response
             49

In this example, the server uses a template engine that evaluates the user input as an expression, leading to an SSTI vulnerability.

Prevention

Preventing SSTI attacks involves proper input validation, sanitization, and limiting the server's ability to evaluate user input as code. This includes:

Input validation: Validate user input by only accepting expected values.
Use allow lists: Only allow known good input to pass through.
Sanitize input: Remove or replace special characters from user input.
Limit template engine features: Limit the server's ability to evaluate user input as code.