ZAP vs Websites Vulnerable to SSTI

Websites Vulnerable to SSTI is a set of simple servers which are vulnerable to Server Side Template Injection.

It is not available online, the GitHub repo is https://github.com/DiogoMRSilva/websitesVulnerableToSSTI It is actively maintained by a ZAP contributor: Diogo Silva.

The vulnerabilities are reported by various ZAP scan rules - if any of them find a vulnerability then we count that as a pass.

Note that the “Non Vulnerable” site is actually vulnerable to XSS attacks 😄

Section Score
All URLs
97%
Individual Tests Reflected XSS DOM XSS Expr Lang Inj Server Code Inj SSTI SSTI Blind Result
Jinja2 - Python
✓ Pass
✓ Pass
❌ FAIL
❌ FAIL
✓ Pass
❌ FAIL
✓ Pass
Mako - Python
✓ Pass
✓ Pass
✓ Pass
❌ FAIL
✓ Pass
✓ Pass
✓ Pass
(Code eval) - Python
✓ Pass
✓ Pass
❌ FAIL
❌ FAIL
✓ Pass
✓ Pass
✓ Pass
(Code exec) - Python
✓ Pass
✓ Pass
❌ FAIL
❌ FAIL
❌ FAIL
✓ Pass
✓ Pass
Smarty - PHP
✓ Pass
✓ Pass
✓ Pass
❌ FAIL
✓ Pass
✓ Pass
✓ Pass
Smarty (secure mode) - PHP
✓ Pass
✓ Pass
✓ Pass
❌ FAIL
✓ Pass
❌ FAIL
✓ Pass
Twig - PHP
✓ Pass
✓ Pass
❌ FAIL
❌ FAIL
✓ Pass
❌ FAIL
✓ Pass
(Code eval) - PHP
❌ FAIL
❌ FAIL
❌ FAIL
✓ Pass
❌ FAIL
❌ FAIL
✓ Pass
FreeMarker - Java
❌ FAIL
✓ Pass
❌ FAIL
❌ FAIL
❌ FAIL
❌ FAIL
✓ Pass
Velocity - Java
❌ FAIL
✓ Pass
❌ FAIL
❌ FAIL
❌ FAIL
❌ FAIL
✓ Pass
Thymeleaf - Java
❌ FAIL
✓ Pass
❌ FAIL
❌ FAIL
❌ FAIL
❌ FAIL
✓ Pass
Jade - Nodejs
✓ Pass
❌ FAIL
❌ FAIL
❌ FAIL
✓ Pass
✓ Pass
✓ Pass
Nunjucks - JavaScript
✓ Pass
✓ Pass
❌ FAIL
❌ FAIL
✓ Pass
✓ Pass
✓ Pass
doT - JavaScript
✓ Pass
✓ Pass
❌ FAIL
❌ FAIL
✓ Pass
✓ Pass
✓ Pass
Dust - JavaScript
✓ Pass
✓ Pass
❌ FAIL
❌ FAIL
✓ Pass
❌ FAIL
✓ Pass
EJS - JavaScript
✓ Pass
✓ Pass
❌ FAIL
❌ FAIL
✓ Pass
✓ Pass
✓ Pass
(Code eval) - JavaScript
❌ FAIL
❌ FAIL
❌ FAIL
❌ FAIL
❌ FAIL
❌ FAIL
❌ FAIL
VueJs - JavaScript
❌ FAIL
❌ FAIL
❌ FAIL
❌ FAIL
✓ Pass
❌ FAIL
✓ Pass
Slim - Ruby
✓ Pass
✓ Pass
❌ FAIL
❌ FAIL
✓ Pass
✓ Pass
✓ Pass
ERB - Ruby
✓ Pass
✓ Pass
❌ FAIL
❌ FAIL
✓ Pass
✓ Pass
✓ Pass
(Code eval) - Ruby
❌ FAIL
✓ Pass
❌ FAIL
❌ FAIL
❌ FAIL
❌ FAIL
✓ Pass
go - go
✓ Pass
✓ Pass
❌ FAIL
❌ FAIL
✓ Pass
❌ FAIL
✓ Pass
Input rendered in other location
❌ FAIL
✓ Pass
❌ FAIL
❌ FAIL
❌ FAIL
❌ FAIL
✓ Pass
Rendering result not visible to attacker
❌ FAIL
❌ FAIL
❌ FAIL
❌ FAIL
❌ FAIL
✓ Pass
✓ Pass
Input inserted in the middle of template code math operations
❌ FAIL
❌ FAIL
❌ FAIL
❌ FAIL
❌ FAIL
✓ Pass
✓ Pass
Non Vulnerable
✓ Pass
✓ Pass
❌ FAIL
❌ FAIL
❌ FAIL
❌ FAIL
✓ Pass
Input inserted in the middle of template code text
✓ Pass
❌ FAIL
❌ FAIL
❌ FAIL
❌ FAIL
❌ FAIL
✓ Pass
{ } Python Eval
✓ Pass
✓ Pass
✓ Pass
❌ FAIL
✓ Pass
✓ Pass
✓ Pass
${ } Python Eval
✓ Pass
✓ Pass
✓ Pass
❌ FAIL
✓ Pass
✓ Pass
✓ Pass
{{ }} Python Eval
✓ Pass
✓ Pass
❌ FAIL
❌ FAIL
✓ Pass
✓ Pass
✓ Pass
<%= %> Python Eval ERB
✓ Pass
✓ Pass
❌ FAIL
❌ FAIL
✓ Pass
❌ FAIL
✓ Pass
#{ } Python Eval
✓ Pass
✓ Pass
❌ FAIL
❌ FAIL
✓ Pass
❌ FAIL
✓ Pass
{{= }} Python Eval
✓ Pass
✓ Pass
❌ FAIL
❌ FAIL
✓ Pass
❌ FAIL
✓ Pass
{ } Ruby Eval
✓ Pass
✓ Pass
✓ Pass
❌ FAIL
✓ Pass
✓ Pass
✓ Pass
${ } Ruby Eval
✓ Pass
✓ Pass
✓ Pass
❌ FAIL
✓ Pass
❌ FAIL
✓ Pass
{{ }} Ruby Eval YBNE Nunjucks
✓ Pass
✓ Pass
❌ FAIL
❌ FAIL
✓ Pass
❌ FAIL
✓ Pass
<%= %> Ruby Eval Erb
✓ Pass
✓ Pass
❌ FAIL
❌ FAIL
✓ Pass
✓ Pass
✓ Pass
#{ } Ruby Eval
✓ Pass
✓ Pass
❌ FAIL
❌ FAIL
✓ Pass
✓ Pass
✓ Pass
{{= }} Ruby Eval
✓ Pass
✓ Pass
❌ FAIL
❌ FAIL
✓ Pass
❌ FAIL
✓ Pass
Total Passes
29
32
7
1
27
18
38