Glossary

SERVER-SIDE TEMPLATE INJECTION / SSTI
defined.

An attack where attacker-controlled input is interpreted as part of a server-side template — allowing arbitrary expression evaluation and often full RCE.

A–Z

What is Server-Side Template Injection (SSTI)?

Modern web frameworks (Jinja2, Twig, Velocity, ERB, Handlebars) compile templates server-side. If user input lands in the template before rendering — not just as a variable — the attacker controls the template syntax. Tooling like tplmap automates exploitation.

Related terms.

Remote Code Execution (RCE)
Cross-Site Scripting (XSS)
SQL Injection
Local File Inclusion (LFI)

Where this shows up.

See our web application penetration testing, API security testing, network penetration testing, and cloud security audit services for how we test for and defend against this class of issue.

Test for this in your stack

BOOK A FREE
scoping call.

30-minute call with an OSCP-certified engineer. Tailored proposal in 24 hours.

Book Free Scoping Call →All Services

SERVER-SIDE TEMPLATE INJECTION / SSTIdefined.

What is Server-Side Template Injection (SSTI)?

Related terms.

Where this shows up.

BOOK A FREEscoping call.

SERVER-SIDE TEMPLATE INJECTION / SSTI
defined.

BOOK A FREE
scoping call.