Server-side template injection (SSTI) - Freemarker

Freemarker is template engine for java mostly used to render HTML web pages. Templates are written in the FreeMarker Template Language (FTL), which is a simple, specialized language. It help to build secure application by providing escaping mechanism to prevent attack like XSS.

But if used incorrectly, it can create big security issues. If malicious user is able to control the template itself, this user could run arbitrary FTL code. This kind of attack is called Server Side Template Injection (SSTI) and is well documented by PortSwigger Research.


Imagine the following java code for a simple hello function.

Here the name variable is provided by the user and it's used directly in the template code. This is a basic template injection.
This is what the template look like after the variable substitution:

Now let's look at what happend when we tried to inject some FTL.

When the $name is valide FTL code, the server will interpret it and render the result. Instead of having the result be Hello ${4*4}! the user will render Hello 8!.
But this is not the only thing an attacker can do in this scenario. By using internal function from Freemarker, it's possible to do a lot more, for example:


Now that you know the basics of SSTI with Freemarker, you can test your skill on our official challenges: