Skip to content

Access Control: Twig PHP \<2.4.4 template engine - SSTI¶

Identifier: twig_php_ssti

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

Twig PHP < 2.4.4 template engine contains server-side template injection vulnerabilities that allow remote attackers to execute arbitrary commands.

How we test: We test for server-side template injection vulnerabilities in Twig PHP by injecting template payloads and analyzing responses to detect if arbitrary commands can be executed through template rendering.

Configuration¶

Example¶

Example configuration:

---
security_tests:
  twig_php_ssti:
    skip: false

Reference¶

`skip`¶

Type : boolean

Skip the test if true.