Server Side Template Injection
Server Side Template Injection
Description
Server Side Template Injections occurs when user inputs are not filtered and inserted directly into the template engine without being passed as data. In case the user input is interpreted by the template engine (using a specific syntax), the attacker can take full control of the server.
Impacts
Remote code execution
Information disclosure
Access to sensitive files on the server
Programming languages and associated template engines
Languages | Template Engine |
---|---|
Python | Mako, Jinja2, Django template |
Java | Velocity, FreeMaker, WebMacros |
JavaScript | Jade, Rage |
PHP | Twig, Smarty, VlibTemplate |
Some payloads
Resources
Last updated