Table of Contents

Introduction

In this video walkthrough, we covered manual and automatic methods to detect Server Side Template Injection or SSTI. We used ZTH: Obscure Web Vulns room from TryHackMe .

SSTI or Server Side Template Injection

A template engine allows developers to use static HTML pages with dynamic elements. Take for instance a static profile.html page, a template engine would allow a developer to set a username parameter, that would always be set  to the current user’s username

Server Side Template Injection, is when a user is able to pass in a parameter that can control the template engine that is running on the server.

This introduces a vulnerability, as it allows a hacker to inject template code into the website. The effects of this can be devastating, from XSS, all the way to RCE.

Note: Different template engines have different injection payloads, however usually you can test for SSTI using {{2+2}} as a test.

Get OSCP Certificate Notes

Answers

What is the flag?

Video Walk-through

Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles