Template injection occurs when an application incorporates user-supplied input directly into a template before rendering it, rather than passing the input as data to the template. This allows an attacker to inject template directives that the template engine interprets and executes. Depending on the template engine and the context, this can escalate from simple information disclosure to full remote code execution on the server.
How It Works
Template engines like Jinja2, Twig, Freemarker, and Velocity are designed to combine static layouts with dynamic data. When a developer mistakenly concatenates user input into the template string itself rather than passing it as a variable, the engine treats the attacker-controlled input as part of its own syntax. For example, if a Jinja2 application renders a greeting by embedding a username directly into the template string, an attacker who submits {{7*7}} as their name would see 49 rendered in the response, confirming that the expression was evaluated.
Server-side template injection (SSTI) is the more dangerous variant. Once an attacker confirms that template expressions are being evaluated, they can typically traverse the object hierarchy within the template engine to access dangerous classes and methods. In Python-based engines, this often means reaching the os module to execute system commands. The attack surface varies by engine, but the principle remains consistent: the attacker uses the template language's own capabilities to break out of the intended rendering context.
Client-side template injection targets JavaScript frameworks like AngularJS that process templates in the browser. While this variant cannot directly compromise the server, it can bypass client-side security controls and execute arbitrary JavaScript in the victim's browser, functioning similarly to cross-site scripting.
Why It Matters
Template injection is frequently overlooked during development because developers focus on SQL injection and XSS prevention while assuming template engines are inherently safe. In reality, SSTI can provide the shortest path from a simple input field to complete server compromise. Identifying this vulnerability requires understanding which template engine is in use and testing with engine-specific payloads, making it a valuable skill during penetration testing engagements.
Need your application tested? Get in touch.