SSTIs can appear in two different contexts:
smarty=Hello {user.name} Hello user1 freemarker=Hello ${username} Hello newuser any=<b>Hello</b> <b>Hello<b>
personal_greeting=username Hello user01 personal_greeting=username<tag> Hello personal_greeting=username}}<tag> Hello user01 <tag>
Usually these kind result in XSS attacks, due to the evaluated input, so, if you enter an alert()
function, it will be shown.
Once you detect that there's SSTI, using an invalid input and getting a result, it's important to try to determine which template engine is used. Why? Because despite all of them working in similar ways, they have important differences...