#input #ssti #webvulnerability Server Side Template Injection is a vulnerability that an attacker can use to inject a malicious payload or command by concatenating it into a template. Template engines are designed to generate web pages by combining fixed templates with volatile data. These injections are delivered and evaluated server-side. ## Detection `${{<%[%'"}}%\` - If an error is thrown, it may be vulnerable `${7*7}` - If evaluated, it would mean it's being evaluated server side Filters could be being used for malicious input detection and sanitization. ## Identification ![[Pasted image 20240306121410.png]] The above table shows some common ways to identify the template engine being used by the server. ### Regex Filtering [Regex Security Cheatsheet](https://github.com/attackercan/regexp-security-cheatsheet) If testing returns a response about malicious input or you notice the input was filtered, its possible they are using regex to sanitize the input . Try some of the tests above to see if you can bypass the Regex filter. ## Tools [SSTImap](https://github.com/vladko312/SSTImap) [Tinja](https://github.com/Hackmanit/TInjA)