In this video walkthrough, we covered manual and automatic methods to detect Server Side Template Injection or SSTI. We used ZTH: Obscure Web Vulns room from TryHackMe .

SSTI or Server Side Template Injection

A template engine allows developers to use static HTML pages with dynamic elements. Take for instance a static profile.html page, a template engine would allow a developer to set a username parameter, that would always be set  to the current user’s username

Server Side Template Injection, is when a user is able to pass in a parameter that can control the template engine that is running on the server.

This introduces a vulnerability, as it allows a hacker to inject template code into the website. The effects of this can be devastating, from XSS, all the way to RCE.

Note: Different template engines have different injection payloads, however usually you can test for SSTI using {{2+2}} as a test.

Get OSCP Certificate Notes


What is the flag?

Video Walk-through

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles