Server-Side Template Injection


Web applications often rely on template engines to manage the dynamic generation of the HTML pages presented to their users. A Server-Side Template Injection (SSTI) vulnerability exists when an application embeds unsafe user-controlled inputs in its templates and then evaluates it. By injecting a specific payload dependent on the template engine used by the application, an attacker can leverage this vulnerability to gain access to sensitive information or to achieve remote code execution.

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable Web App ScanningWeb ApplicationsAuthenticated ScanHTTP/HTTPSServer-Side Template InjectionPlugin ID: 112614


Server-Side Template Injection

Attack Path Technique Details

Framework: OWASP

Family: Injection

Platform: Web Application

Products Required: Tenable Web App Scanning

Tenable Release Date: 2022 Q2