Member-only story
Basic SSTI — Server-Side Template Injection | 2023
Portswigger — Basic server-side template injection Solution | Karthikeyan Nagaraj
Published in
3 min readJan 20, 2023
What is SSTI?
- Server-side template injection is a vulnerability where the attacker injects malicious input into a template to execute commands on the server-side
- This vulnerability occurs when invalid user input is embedded into the template engine which can generally lead to remote code execution (RCE).
- Template engines are designed to combine templates with a data model to produce result documents that help populate dynamic data into web pages.
- Template engines can be used to display information about users, products
- Popular template engines are,
- PHP — Smarty, Twigs
- Java — Velocity, Freemaker
- Python — JINJA, Mako, Tornado
- JavaScript — Jade, Rage
- Ruby — Liquid
What is ERB?
- ERB is a templating language based on Ruby.
- Puppet can evaluate ERB templates with the template and inline_template functions.
