# SSTI

### How to Detect

* &#x20;fuzzing the template by injecting a sequence of special characters such as `${{<%[%'"}}%\` ->If an exception is raised, this indicates that the injected template syntax is potentially being interpreted by the server in some way

**Plaintext context**

* It's about rendering your input server side into HTML or sort of form before generating the response like `render('Hello ' + username)`
* It's like a simple XSS here, However, by setting mathematical operations as the value of the parameter, we can test whether this is also a potential entry point for a server-side template injection attack `http://vulnerable-website.com/?username=${7*7}`

**Code context**

* &#x20;the vulnerability is exposed by user input being placed within a template expression
* first establish that the parameter doesn't contain a direct XSS vulnerability by injecting arbitrary HTML into the value: `http://vulnerable-website.com/?greeting=data.username<tag>` In the absence of XSS, this will usually either result in a blank entry in the output (just `Hello` with no username),
* try and break out of the statement using common templating syntax and attempt to inject arbitrary HTML after it: `http://vulnerable-website.com/?greeting=data.username}}<tag>`
* Try different syntax

### Identify

* submitting invalid syntax ex: `<%=foobar%>``<%=foobar%>`

![](https://3568755323-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9UnXftTvxZq0DhdYyH5k%2Fuploads%2Fgit-blob-62ca90c1fdbc4b5a48b5e7c513a88934707b9735%2FPasted%20image%2020240908181755.png?alt=media)

* &#x20;same payload can sometimes return a successful response in more than one template language. For example, the payload `{{7*'7'}}` returns `49` in Twig and `7777777` in Jinja2