Server-Side Template Injection (SSTI)
Also known as: SSTI
Server-Side Template Injection (SSTI) occurs when user input is concatenated into a template that is then rendered by a server-side template engine (Jinja2, Twig, Freemarker, Velocity, and others). Because template engines can evaluate expressions and access objects, injection frequently escalates from information disclosure to remote code execution.
- OWASP
- A03:2021
How it works
- 1User input is placed directly into a template string rather than passed as data.
- 2The template engine evaluates the injected expression.
- 3The attacker probes with engine-specific syntax to confirm evaluation.
- 4They escalate through the object model to read data or execute commands.
Example
Vulnerable (Jinja2): render_template_string("Hello " + name)
Probe: {{7*7}} -> Hello 49
Escalate: {{ ''.__class__.__mro__[1].__subclasses__() }}Impact
SSTI commonly results in remote code execution on the application server, making it one of the most severe injection classes.
Remediation
- Never build templates from user input; pass user data as bound variables only.
- Use logic-less or sandboxed template engines where possible.
- Apply strict input validation and run the renderer with least privilege.
Detection & testing
Inject engine-specific expressions and observe evaluation (e.g. arithmetic rendering). Confirm with a safe, non-destructive command proof.
Impactr tests for Server-Side Template Injection (SSTI) the way an attacker would - investigating, chaining it with related flaws, and proving impact with a reproducible exploit before it reaches your report.
Test my app for SSTITools
Frequently asked questions
How is SSTI different from XSS?
XSS executes in the victim's browser (client-side). SSTI executes in the template engine on the server, so it often leads directly to server-side code execution rather than session theft.