Security Test: SSTI (Server-Side Template Injection)¶
Description¶
Default Severity:
Server-Side Template Injection happens when an attacker gets control over a web page's template by injecting content that the server then processes. This usually occurs when user input is directly embedded into a template without proper validation or filtering. Because templates often include powerful built-in functions, if an attacker can control the template, they might even run system commands, access sensitive data, or execute unwanted operations on the server. Developers often fall into the trap of not sanitizing inputs properly or misconfiguring template engines, leaving the door open for serious risks like unauthorized data exposure or complete server compromise if the vulnerability is exploited.
Reference:
Configuration¶
Identifier:
injection/ssti
Examples¶
All configuration available:
Compliance and Standards¶
Standard | Value |
---|---|
OWASP API Top 10 | API10:2023 |
OWASP LLM Top 10 | LLM06:2023 |
PCI DSS | 6.5.1 |
GDPR | Article-32 |
SOC2 | CC1 |
PSD2 | Article-95 |
ISO 27001 | A.14.2 |
NIST | SP800-53 |
FedRAMP | AC-6 |
CWE | 94 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C |
CVSS Score | 6.8 |