Skip to content

Security Test: SSTI (Server-Side Template Injection)

Description

Default Severity:

Server-Side Template Injection happens when an attacker gets control over a web page's template by injecting content that the server then processes. This usually occurs when user input is directly embedded into a template without proper validation or filtering. Because templates often include powerful built-in functions, if an attacker can control the template, they might even run system commands, access sensitive data, or execute unwanted operations on the server. Developers often fall into the trap of not sanitizing inputs properly or misconfiguring template engines, leaving the door open for serious risks like unauthorized data exposure or complete server compromise if the vulnerability is exploited.

Reference:

Configuration

Identifier: injection/ssti

Examples

All configuration available:

checks:
  injection/ssti:
    skip: false # default

Compliance and Standards

Standard Value
OWASP API Top 10 API10:2023
OWASP LLM Top 10 LLM06:2023
PCI DSS 6.5.1
GDPR Article-32
SOC2 CC1
PSD2 Article-95
ISO 27001 A.14.2
NIST SP800-53
FedRAMP AC-6
CWE 94
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C
CVSS Score 6.8