Gaining Shell using Server Side Template Injection (SSTI)


This post is about Server Side Template Injection (SSTI) and a brief walkthrough of how it can be leverage to get a shell on the server hosting the application.

A template engine makes designing HTML pages easier by using static template files which at runtime replaces variables/placeholders with actual values in the HTML pages. Some popular and widely used template engines are Smarty, Twig, Jinja2, FreeMarker, Velocity.

Server Side Template Injection is possible when an attacker injects template directive as user input that can execute arbitrary code on the server. If you happen to view source of a web page and see below code snippets then it is safe to guess that the application is using some template engine to render data.

Read more…