Server Side Template Injection

Server-Side Template Injection (SSTI) occurs when untrusted input is embedded directly into a server-side template, causing the template engine to evaluate attacker-controlled expressions. This can escalate from data leakage to arbitrary code execution, depending on the template engine’s capabilities.

One of the main causes of SSTI is string concatenation of untrusted input into the template rather than passing it safely through the template context. Another common cause is double rendering, where a value is parsed and evaluated more than once, unintentionally executing injected expressions.

Remediation

Never concatenate untrusted input into templates — always pass it as context variables.
Ensure the template engine is configured to automatically escape or sandbox expressions.
Review and eliminate any cases of multiple rendering or re-evaluation of template content.
Where possible, use a simpler template engine that does not allow arbitrary code execution.

Metadata

Severity: critical
Slug: server-side-template-injection

CWEs

96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
74: Improper Neutralization of Special Elements in Output Used by a Downstream Component
94: Improper Control of Generation of Code ('Code Injection')

OWASP

A03:2021: Injection

Available Labs

Select a language to explore available labs for this vulnerability.

2 Labs

Csharp Labs

Csharp 2 labs

Explore 2 labs in Csharp.

2 Labs

Go Labs

Go 2 labs

Explore 2 labs in Go.

2 Labs

Java Labs

Java 2 labs

Explore 2 labs in Java.

2 Labs

Javascript Labs

Javascript 2 labs

Explore 2 labs in Javascript.

2 Labs

Php Labs

Php 2 labs

Explore 2 labs in Php.

3 Labs

Python Labs

Python 3 labs

Explore 3 labs in Python.

2 Labs

Ruby Labs

Ruby 2 labs

Explore 2 labs in Ruby.

2 Labs

Typescript Labs

Typescript 2 labs

Explore 2 labs in Typescript.

No matching labs found

Try adjusting your language filter.

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.