SSTI vulnerabilities depend a lot on the engine used by the tested application. However, the main idea in template engines is that you pass a parameter, which is interpreted by the engine, and it creates the view. So, most engines are waiting for a text to parse it and display it. Take the following as an example:
any=Hello <b>Hello</b>
In the preceding example, the application receives a string and the engine automatically adds HTML tags to display it. Also, these engines can interpret values passed as parameters, such as operators. For example:
any=Hello ${7*7} Hello 49
In this case, the engine evaluates the *
operator with the values passed. So, if you pass an unexpected string as a parameter, it could be reflected, or it could be used to extract sensible information, as can be seen in the following:
personal_greeting=username<tag> Hello personal_greeting=username}}<tag> Hello user01 <tag>
Here, the engine is interpreting the parameter...