Server-Side Template Injection (SSTI) Resources

Server-Side Template Injection (SSTI)

Server-Side Template Injection (SSTI) occurs when user input is concatenated directly into a server-side template instead of being passed in as a parameter. Because templating engines are designed to evaluate expressions and call methods, an attacker who controls part of the template can frequently escalate from a reflected math expression like {{7*7}} all the way to remote code execution in the language the engine runs on.

The vulnerability class was first formalized by James Kettle's PortSwigger research, which demonstrated generic exploits and sandbox escapes across the most popular template engines. Since then, real-world SSTI has been found in Jinja2 (Python/Flask), Twig (PHP), Freemarker and Velocity (Java), Smarty and Mako, and even nominally sandboxed environments — sandbox escapes for Jinja2 are republished almost every year, and Apache Camel, OpenMetadata, and Alfresco have all shipped critical SSTI CVEs in production frameworks.

SSTI is easy to confuse with XSS at first glance because both involve injection into rendered output, but the impact is fundamentally different. XSS executes in the victim's browser; SSTI executes on the server, often as the application user, and leads directly to file read, environment access, and full RCE. Detection starts with simple expression probes ({{7*7}}, ${7*7}, *{7*7}), then engine fingerprinting through error messages, then engine-specific gadget chains.

This page collects PortSwigger's foundational research, Web Security Academy labs, HackTricks and PayloadsAllTheThings references, the standard tooling (tplmap, SSTImap), and engine-specific exploitation guides and CVE writeups for Jinja2, Twig, Freemarker, and beyond.

From PortSwigger Research