SSTI Exploitation
Server-Side Template Injection detection and exploitation
Key Concepts
Security Mindset
Think like an attacker - what can go wrong, what can be abused?
Defense in Depth
Multiple layers of security controls, no single point of failure.
Least Privilege
Grant minimum permissions needed for functionality.
Trust Boundaries
Identify where data crosses trust levels and validate at each boundary.
Learning Material
What You'll Learn
Server-Side Template Injection detection and exploitation
Think like an attacker - what can go wrong, what can be abused?
Multiple layers of security controls, no single point of failure.
Grant minimum permissions needed for functionality.
Identify where data crosses trust levels and validate at each boundary.
Injection & Client-Side Attacks Research
Purpose: Understanding injection and client-side vulnerability classes
Last Updated: December 28, 2025
Contents
Injection Attacks
- XSS (Cross-Site Scripting) - Reflected, Stored, DOM-based
- SQL Injection - UNION, Blind, Error-based, OOB
- SSRF (Server-Side Request Forgery) - Cloud metadata, internal services
- XXE (XML External Entity) - File read, blind exfiltration
- SSTI (Server-Side Template Injection) - Jinja2, Twig, Freemarker RCE
Case Studies
- Case Studies Index
Key Takeaways
XSS (CWE-79)
- Most common web vulnerability (CWE #1)
- DOM-based often missed by scanners
- CSP bypass techniques critical for modern apps
- Impact: cookie theft, session hijacking, phishing
SQL Injection (CWE-89)
- Highest impact for data breach
- Blind techniques (boolean/time) when no output
- sqlmap for automation, Burp for manual
- Always test:
' OR 1=1--,' AND SLEEP(5)--
SSRF (CWE-918)
- Cloud focus: 169.254.169.254 metadata endpoints
- Bypass: IP obfuscation, DNS rebinding, open redirects
- Blind SSRF via Collaborator/webhook.site
- Combine with XXE for internal reconnaissance
XXE (CWE-611)
- Modern XML parsers often secure by default
- Look for: SOAP, file upload (SVG, DOCX), content-type switching
- OOB exfiltration when no direct output
- Local DTD exploitation for stricter parsers
SSTI
- Highest payout potential (RCE)
- Detection:
${{<%**%'"}}%\fuzzing - Engine identification via error messages
- Jinja2/Twig most common in bug bounty
H1 Agent Mapping
| Vulnerability | Primary Agent | Pipeline |
|---|---|---|
| XSS | h1-hunter-agent | Manual + Burp |
| SQLi | h1-hunter-agent | sqlmap automation |
| SSRF | h1-hunter-agent | Collaborator-based |
| XXE | h1-hunter-agent | XML fuzzing |
| SSTI | h1-hunter-agent | Template fuzzing |
CWE Rankings (2024)
| Rank | CWE | Vulnerability | Score |
|---|---|---|---|
| 1 | CWE-79 | XSS | 56.92 |
| 3 | CWE-89 | SQL Injection | 35.88 |
| 7 | CWE-78 | OS Command Injection | 11.30 |
Bug Bounty Priority
| Vulnerability | Typical Payout | Difficulty |
|---|---|---|
| Stored XSS | $500-$5K | Medium |
| SQLi with data access | $3K-$20K | Medium |
| SSRF to internal services | $5K-$20K | Medium |
| XXE with file read | $2K-$10K | Medium |
| RCE via SSTI | $10K-$50K | Hard |
Navigation
- Previous: [05_linux_kernel**
- Next: 07_blue_team
- Main: Knowledge Base README
Practical Examples
Practice examples coming soon. Check the Certs section for related labs.
Test Questions
What is a CSRF token bypass technique?
What is clickjacking?
How do you prevent clickjacking?
Test Your Knowledge
Review these flashcards to reinforce your understanding
What is a CSRF token bypass technique?
Tap to reveal
What is clickjacking?
Tap to reveal
How do you prevent clickjacking?
Tap to reveal