Detection
SSTIs can appear in two different contexts:
- Plaintext context: It means that you can directly input HTML into the application, for example, in a text editor. Some examples of them are as follows:
smarty=Hello {user.name} Hello user1 freemarker=Hello ${username} Hello newuser any=<b>Hello</b> <b>Hello<b>
- Code context: This means that you enter values that are processed by the application and return a result. Some examples of them are as follows:
personal_greeting=username Hello user01 personal_greeting=username<tag> Hello personal_greeting=username}}<tag> Hello user01 <tag>
Usually these kind result in XSS attacks, due to the evaluated input, so, if you enter an alert()
function, it will be shown.
Once you detect that there's SSTI, using an invalid input and getting a result, it's important to try to determine which template engine is used. Why? Because despite all of them working in similar ways, they have important differences...