Exploiting Template Injection Vulnerabilities

When to Use

• During authorized penetration tests when user input is rendered through a server-side template engine
• When testing error pages, email templates, PDF generators, or report builders that include user-supplied data
• For assessing applications that allow users to customize templates or notification messages
• When identifying potential SSTI in parameters that reflect arithmetic results (e.g., {{7*7}} returns 49)
• During security assessments of CMS platforms, marketing tools, or any application with templating functionality

Prerequisites

• Authorization: Written penetration testing agreement with RCE testing scope
• Burp Suite Professional: For intercepting and modifying template parameters
• tplmap: Automated SSTI exploitation tool (git clone https://github.com/epinna/tplmap.git)
• SSTImap: Modern SSTI scanner (pip install sstimap)
• curl: For manual SSTI payload testing
• Knowledge of template engines: Jinja2, Twig, Freemarker, Velocity, Mako, Pebble, ERB, Smarty