What is server-side template injection?

Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side. Template engines are designed to generate web pages by combining fixed templates with volatile data. Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data | Karthikeyan Nagaraj

Karthikeyan Nagaraj
8 min readApr 21, 2024

--

What is server-side template injection?

Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.

Template engines are designed to generate web pages by combining fixed templates with volatile data. Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control…

--

--

Karthikeyan Nagaraj
Karthikeyan Nagaraj

Written by Karthikeyan Nagaraj

Entrepreneur | Writer | Cyber Security Consultant | AI Researcher