In SSTI test we first manually check if your web application uses template engine by manipulating HTTP GET and POST requests and using special characters commonly used in template expressions.
Once we detect the template engine we move on to identify if there are any vulnerabilities that could allow the end users to introduce an array of serious risks by editing the templates and take control of the web servers or obtain Remote Code Execution.
We can test SSTI if your web application uses one of these template engines
PHP – Smarty, Twigs
Ruby – ERB
JAVA – Velocity, Freemaker, Pebble, Jinjava
Python – Jinja2, Mako
It depends mostly on how soon we are able to identify all the input points to start testing with payloads. Once we identify the vulnerability than we require time to put together a report.
Report will include all the detected input vector and their testing and detailed analysis of all the template injection vulnerability found.
Based on our finding through our extensive tests we will provide recommendations in the report on how to fix the template injection vulnerability.