Template Injection

Template engines are tools that allow developers / designers to separate programming

logic from the presentation of data when creating dynamic web pages. In other words,

rather than have code that receives an HTTP request, queries the necessary data from the

database and then presents it to the user in a monolithic file, template engines separate

the presentation of that data from the rest of the code which computes it (as an aside,

popular frameworks and content management systems also separate the HTTP request

from the query as well).





Server Side Template Injection (SSTI) occurs when those engines render user input

without properly sanitizing it, similiar to XSS. For example, Jinja2 is a templating language

for Python, and borrowing from nVisium, an example 404 error page might look like:





@app.errorhandler(404) def page_not_found(e) : template = '''{%% extends "layout.html" %%} {%% block body %%} <div class="center-content error"> <h1>Opps! That page doesn't exist </h1> <h3>%s</h3> </div> {%% endblock %%} ''' % (request.url) return render_template_string(template), 404





Source: (https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2)