Template engines power:
1. Login pages
2. Email templates
3. Error messages
4. Admin dashboards
When user input is rendered inside templates without proper handling, attackers can execute logic on the server.
This is not theoretical.
Template Injection has caused:
1. Data exposure
2. Server command execution
3. Full application compromise
Most incidents happen due to developer assumptions, not advanced attackers.
What Is Template Injection?
Template Injection occurs when:
1. User input is embedded in a template
2. The template engine evaluates it as code
Instead of showing text,
the server executes expressions.
This is different from XSS:
1. XSS runs in the browser
2. Template Injection runs on the server
That difference is critical.
Common Template Engines Affected
Real-world cases involve:
1. Jinja2 (Python/Flask)
2. Twig (PHP)
3. Velocity (Java)
4. FreeMarker (Java)
5. Handlebars (misuse cases)
The problem is that the rendering method used by the template engines is not safe.
Simple Signs a Page Might Be Vulnerable
1. You may see mathematical expressions being evaluated.
2. You may see error messages referencing a template.
3. You may receive unexpected output from special symbols.
Example test input:
{{7*7}}
If the page displays:
49
That’s a serious warning.
Real Example: Admin Email Template
A SaaS platform allowed admins to customize email messages.
Input field:
Welcome {{ user.name }}
An attacker entered:
{{ config.items() }}
As a result of inputting this:
1. the application's configuration was leaked
2. the API key(s) were exposed
3. there was an incident response required to address the vulnerability.
Commonly used payloads to test for template injection
These examples may be used for detection and testing purposes only.
Basic Expression Test
{{7*7}}
Object Access Testing
{{self}}
Environment Leak (Python/Jinja2)
{{ cycler.__init__.__globals__.os.environ }}
Command Execution Indicators
{{ ''.__class__.__mro__ }}
If you see any output from your test it means that an attacker can use the template to execute arbitrary code as long as they know its location within the template.
Detection and Testing Tools
Manual Testing
1. Basic payloads.
2. Output or error checking.
3. It is often sufficient for a risk assessment.
tplmap (Security Assessment Tool)
1. Detects template engines.
2. Tests payloads in a controlled way.
3. Frequently used by red teams and auditors.
Example usage:
python tplmap.py -u "https://site/page?name=test"
Burp Suite (Community or Professional)
1. Request interception.
2. Controlled payload injection.
3. Observing responses from the server.
Often employed in code review or penetration testing.
Application Logs
Many issues with template injection will manifest first as:
1. Exception stack traces.
2. Template syntax errors.
3. Unexpected rendering errors.
Logs are an early warning system of template injection.
Why Developers Overlook This:
Typical reasons:
1. "It's only text."
2. Trusting that only administrators will use these functions.
3. Re-use of rendering logic.
4. Melding of Logic and Presentation.
Templates appear secure until they prove otherwise.
Template Injection Prevention
1. Raw User Input should NEVER be rendered.
Incorrect:
render_template_string(user_input);
Correct:
render_template('page.html', data=user_input);
Let the template handle the data, not the logic.
2. Enforce Strict Template Modes
1. Disable unsafe functions
2. Place limits on object access
3. Create an enforced sandbox environment
Most template engines conform to this.
3. Keep Logic Independently Managed from Templates
Templates are designed to:
1. Display data
2. Not compute or execute
Logic that may be required for a template should be located in code.
4. Use Input Validation for Actions Involving Internal Users as Well as External Users
An administrator is not a duly trusted software author/group.
Most incidents involving the use of template/display methods begin with:
1. Admin-level access to functions.
2. Use of template/display methods (e.g., email or PDF file generation).
3. Customizations made using content management software (CMS).
To Summarize:
1. Template Injection is a server-side threat/issue.
2. A simple payload can uncover a major security flaw.
3. The vast majority of template injection incidents involve the use of templates through convenience features.
4. It is easier to prevent than to clean up a Template Injection incident.
5. Templates should be used to render output and not perform computations.
If a template can do computation, it can be compromised and used as a means to exploit a web application.
