Server side template injection

What is SSTI ?

A vulnerability that allows attackers to inject malicious payloads into templates

what is a template ?

A pre-defined structure or layout that determines how dynamic data will be inserted into a static web page and use to generate dynamic content.

Examples:

Jinja → Python (Flask, Django)

Thymeleaf → Java (Spring)

EJS → JavaScript (Node.js)

Blade → PHP (Laravel)

what is impact of SSTI ?

1. Remote code execution (RCE)
2. Read sensitive data on the server