Old-fashioned web applications built (and partly still build) HTML responses like this.

This type of HTML structure is not only rigid but also terribly insecure. Such applications are usually quite easy to inject the attacker's own HTML/JavaScript code, which leads to XSS vulnerabilities.

A more modern approach is to use templates. Templates are separate HTML files that are also partly code files. The desired data is then given to the template, and the template builds the HTML. There is no vulnerability in this code because the template can safely build the HTML in a way that it doesn't matter what the attacker has entered as a name, it doesn't become dangerously part of the HTML structure.

Template injection vulnerability is very similar to traditional HTML injection (which leads to XSS vulnerability), but much more serious because unlike HTML (which is executed in the browser), templates are executed as code on the server side before the resulting HTML built as a result of template execution is returned to the browser.

This is an example of a vulnerable Flask application that incorrectly uses the Jinja2 template engine, allowing user input to affect the template itself, rather than just the data given to the template, as it should have been.

Python's JInja2 is not the only template engine, but there are many of them for different programming languages. However, almost all template engines share the syntax where double curly braces execute an expression, such as printing a variable or performing a calculation.

The traditional way to detect template injections is to input

in the input and check if the application returns "49" in the same place in the HTML. This is a clear indication of a template injection.

Template injections almost always result in an attacker being able to execute arbitrary code on the application server (RCE, Remote Code Execution). How the execution of the code is achieved varies quite a bit depending on the programming language and template engine. We will explore these in this course.

Template injection is easy to avoid. You just need to keep the template completely static, so that the template itself cannot be affected in any way. Only the data in the template can be influenced, not the structure.

All dynamically built templates are a danger zone.

Templaatti-injektioilta on helppo välttyä. Ei tarvitse muuta kuin pitää templaatti täysin staattisena niin, ettei itse templaattiin voi vaikuttaa millään tavalla. Pelkästään templaatin dataan saa vaikuttaa, ei rakenteeseen.

Kaikki dynaamisesti rakennetut templaatit ovat vaaranpaikka.

Protection from injections

Injektioilta suojautuminen

## What are templates?

Old-fashioned web applications built (and partly still build) HTML responses like this.

```python
html = &quot;<h1> Welcome, &quot; + name + &quot;</h1> return html
```

This type of HTML structure is not only rigid but also terribly insecure. Such applications are usually quite easy to inject the attacker's own HTML/JavaScript code, which leads to XSS vulnerabilities.

A more modern approach is to use templates. Templates are separate HTML files that are also partly code files. The desired data is then given to the template, and the template builds the HTML. There is no vulnerability in this code because the template can safely build the HTML in a way that it doesn't matter what the attacker has entered as a name, it doesn't become dangerously part of the HTML structure.

```python
template = &quot;<h1> Welcome, {{name}}</h1> &quot; return render_template(template, name=name)
```

---

## Template Injection

Template injection vulnerability is very similar to traditional HTML injection (which leads to XSS vulnerability), but much more serious because unlike HTML (which is executed in the browser), templates are executed as code on the server side before the resulting HTML built as a result of template execution is returned to the browser.

This is an example of a vulnerable Flask application that incorrectly uses the Jinja2 template engine, allowing user input to affect the template itself, rather than just the data given to the template, as it should have been.

```python
if request.method == &#39;POST&#39;: name = request.form[&#39;name&#39;] template = f&#39;<h1> Welcome, { name }!</h1> &#39; return render_template_string(template) else: template = &#39;&#39;&#39;<form method="POST"> <label for="name">Name:</label><input type="text" name="name" id="name"> <button type="submit">send</button></form> &#39;&#39;&#39; return render_template_string(template)
```

---

## Detecting Vulnerabilities

Python's JInja2 is not the only template engine, but there are many of them for different programming languages. However, almost all template engines share the syntax where double curly braces execute an expression, such as printing a variable or performing a calculation.

The traditional way to detect template injections is to input** \{\{7\*7\}\} **in the input and check if the application returns "49" in the same place in the HTML. This is a clear indication of a template injection.

Let's try:

![](sanity:image-08fa81f97b9e63f041ac526385687250f51e7048-912x130-png)

![](sanity:image-a9c8ea783af19b2abaca7011b39cc63dc81a7f2c-1058x196-png)

---

## Exploiting Vulnerability

Template injections almost always result in an attacker being able to execute arbitrary code on the application server (RCE, Remote Code Execution). How the execution of the code is achieved varies quite a bit depending on the programming language and template engine. We will explore these in this course.

@embed d65cd3cdcb23


Templaatti-injektioilta on helppo välttyä. Ei tarvitse muuta kuin pitää templaatti täysin staattisena niin, ettei itse templaattiin voi vaikuttaa millään tavalla. Pelkästään templaatin dataan saa vaikuttaa, ei rakenteeseen.

Kaikki dynaamisesti rakennetut templaatit ovat vaaranpaikka.

What are Template Injections (SSTI)?

HTML is typically built with templates precisely to avoid injection vulnerabilities, but sometimes it happens so miserably that the injection hits the template itself, and in that case the consequences are serious.

Typically, HTML is built with templates in order to avoid injection vulnerabilities, but sometimes it happens unfortunately that the injection hits the template itself, and in this case the consequences are serious.

What are Template Injections (SSTI)?

What are templates?

Learn to hack — start here