đŸ”Ĩ Server Side Template Injection (SSTI) - Complete Red Team Guide

📋 Table of Contents

  1. 🧠 Core Theory & Concepts
  2. đŸŽ¯ Hacker's Strategy & Mindset
  3. 🧭 Target Mapping & Attack Surface Discovery
  4. ⚒ī¸ Tools + Manual Approach Combo
  5. 🚀 Step-by-Step Exploitation
  6. đŸ§Ē Bypass + WAF Evasion
  7. 🎭 Authentication/Session Abuse
  8. 🛡ī¸ Blue Team View
  9. 📝 Reporting Like a Pro
  10. 🧰 Learning Resources & Labs
  11. 🧠 Red Team Extra Knowledge
  12. đŸŽ¯ CTF/Interview Ready Section

1. 🧠 Core Theory & Concepts {#core-theory}

Vulnerability āĻŸāĻž āĻ†āĻ¸āĻ˛ā§‡ āĻ•ā§€?

Server Side Template Injection (SSTI) āĻšāĻ˛ā§‹ āĻāĻ•āĻŸāĻŋ critical vulnerability āĻ¯ā§‡āĻ–āĻžāĻ¨ā§‡ attacker server-side template engine-āĻ malicious code inject āĻ•āĻ°āĻ¤ā§‡ āĻĒāĻžāĻ°ā§‡āĨ¤ āĻāĻŸāĻŋ āĻ˜āĻŸā§‡ āĻ¯āĻ–āĻ¨ user input āĻ¸āĻ°āĻžāĻ¸āĻ°āĻŋ template engine-āĻ pass āĻšāĻ¯āĻŧ āĻ•ā§‹āĻ¨ proper validation āĻ›āĻžāĻĄāĻŧāĻžāĻ‡āĨ¤

āĻ¸āĻšāĻœ āĻ•āĻĨāĻžāĻ¯āĻŧ: Web application āĻ¯āĻ–āĻ¨ dynamic content generate āĻ•āĻ°āĻžāĻ° āĻœāĻ¨ā§āĻ¯ template engine āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻ•āĻ°ā§‡ (āĻ¯ā§‡āĻŽāĻ¨ Jinja2, Twig, Freemarker), āĻāĻŦāĻ‚ user input āĻ¸ā§‡āĻ‡ template-āĻ directly embed āĻšāĻ¯āĻŧā§‡ āĻ¯āĻžāĻ¯āĻŧ, āĻ¤āĻ–āĻ¨ SSTI vulnerability āĻ¤ā§ˆāĻ°āĻŋ āĻšāĻ¯āĻŧāĨ¤

āĻāĻŸāĻž āĻ•āĻŋāĻ­āĻžāĻŦā§‡ āĻ•āĻžāĻœ āĻ•āĻ°ā§‡?