Explaining vulnerabilities : Template Injections (Server-Side) {Bug bounties}

2 min readNov 26, 2022

What are template engine injection vulnerabilities?

Template engines are commonly used in web applications to generate dynamic web pages & emails.When a developer is not careful with the embedding of user input, the template engine will be vulnerable to SSTI.

It is important to understand that SSTIs are not XSSs. Unlike XSS vulnerabilities, template injection vulnerabilities often lead to remote code execution, directly, since most of the template engines run on the server-side.

Attack Strategy

Before we get into the aspect of hunting for and exploiting template engine vulnerabilities, it’s important that you have a well fund methodology of inspecting a web site and its features. If you don’t already, then you can check out this article I’ve written, presenting my methodology.

The strategy of finding and exploiting template engine vulnerabilities is very similar to the ones of XSS.

Identify the vulnerability :

After you’ve performed enough recon on the target website, go ahead and make a list of all of the urls that have fields , in which user input is allowed.
The most common payload used is : ${7*7}
If you enter this payload and the server returns 49, then you know you have detected an SSTI/CSTI vulnerability. If the server returns ${7*7} back, then you know it is not vulnerable. You can try tampering with encoding and such, but if it’s still not returning 49, then you have to move on.

Identify the template engine used:

Input the following payload : {{7'*7'}}
If you get 49 back, then the template engine being used is Twig. If you get 7777777 back, then it is using Jinja2. If neither get returned , the field is not vulnerable.
${“z”.join{“ab”}} . If it resolves , then the template engine is Mako.
A{*text*}b : If it resolves, the template engine used is Smarty.

Exploit the vulnerability :

This process entirely depends on the template engine that is being used. So firstly, identify what engine is used by following the steps from earlier.
After you have identified the template engine being used, look up the manuals for them, and find how you can take advantage of the vulnerability to cause MOST damage , so you get the MOST $$$$.

I hope you’ve learned something throughout this article. If you wish more articles will be published in this series, make sure to clap and follow me!