Server-Side Template Injection (SSTI)

Server-side template injection happens when user input is evaluated as part of a template, often escalating from expression evaluation to full remote code execution.

Template Injection (SSTI)Generate payloads Cheat SheetCopy-ready payloads Testing GuideStep by step

What it is

SSTI occurs when an app embeds user input directly into a server-side template instead of passing it as data. Because template engines evaluate expressions, an attacker can read server state and frequently reach the underlying runtime to execute code.

How to test for it

Submit a math expression like {{7*7}} and engine-specific variants, then look for the evaluated result (49) in the response to fingerprint the engine. From there, walk the object graph to reach OS command execution.

How to prevent it

Never pass user input into template source. Use logic-less templates or pass values strictly as bound context data, sandbox the engine where supported, and validate any input that must influence templates against a strict allow-list.

In-depth articles

SSTI Exploitation: From Template Injection to Remote Code Execution15 min read Solving a Multi-Stage CTF Challenge Using Only Payload Playground18 min read CTF Web Challenge Methodology: Recon, Source Review, and Exploitation Chains14 min read

Frequently asked questions

How do I detect which template engine is in use?+

Send polyglot probes such as ${7*7}, {{7*7}}, and #{7*7}; which one evaluates (and how it handles object access) fingerprints the engine — Jinja2, Twig, Freemarker, and others differ.

Does SSTI always lead to RCE?+

Not always, but many engines expose enough of the runtime that expression evaluation can be escalated to remote code execution; even without RCE it often leaks sensitive server-side data.

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

$loading...