Websites Vulnerable to SSTI is a set of simple servers which are vulnerable to Server Side Template Injection.
It is not available online, the GitHub repo is https://github.com/DiogoMRSilva/websitesVulnerableToSSTI It is actively maintained by a ZAP contributor: Diogo Silva.
The vulnerabilities are reported by various ZAP scan rules - if any of them find a vulnerability then we count that as a pass.
Note that the “Non Vulnerable” site is actually vulnerable to XSS attacks 😄
| Section | Score | ||||||
|---|---|---|---|---|---|---|---|
All URLs |
97% |
||||||
| Individual Tests | Reflected XSS | DOM XSS | Expr Lang Inj | Server Code Inj | SSTI | SSTI Blind | Result |
| Jinja2 - Python | ✓ Pass |
✓ Pass |
❌ FAIL |
❌ FAIL |
✓ Pass |
❌ FAIL |
✓ Pass |
| Mako - Python | ✓ Pass |
✓ Pass |
✓ Pass |
❌ FAIL |
✓ Pass |
✓ Pass |
✓ Pass |
| (Code eval) - Python | ✓ Pass |
✓ Pass |
❌ FAIL |
❌ FAIL |
✓ Pass |
✓ Pass |
✓ Pass |
| (Code exec) - Python | ✓ Pass |
✓ Pass |
❌ FAIL |
❌ FAIL |
❌ FAIL |
✓ Pass |
✓ Pass |
| Smarty - PHP | ✓ Pass |
✓ Pass |
✓ Pass |
❌ FAIL |
✓ Pass |
✓ Pass |
✓ Pass |
| Smarty (secure mode) - PHP | ✓ Pass |
✓ Pass |
✓ Pass |
❌ FAIL |
✓ Pass |
❌ FAIL |
✓ Pass |
| Twig - PHP | ✓ Pass |
✓ Pass |
❌ FAIL |
❌ FAIL |
✓ Pass |
❌ FAIL |
✓ Pass |
| (Code eval) - PHP | ❌ FAIL |
❌ FAIL |
❌ FAIL |
✓ Pass |
❌ FAIL |
❌ FAIL |
✓ Pass |
| FreeMarker - Java | ❌ FAIL |
✓ Pass |
❌ FAIL |
❌ FAIL |
❌ FAIL |
❌ FAIL |
✓ Pass |
| Velocity - Java | ❌ FAIL |
✓ Pass |
❌ FAIL |
❌ FAIL |
❌ FAIL |
❌ FAIL |
✓ Pass |
| Thymeleaf - Java | ❌ FAIL |
✓ Pass |
❌ FAIL |
❌ FAIL |
❌ FAIL |
❌ FAIL |
✓ Pass |
| Jade - Nodejs | ✓ Pass |
❌ FAIL |
❌ FAIL |
❌ FAIL |
✓ Pass |
✓ Pass |
✓ Pass |
| Nunjucks - JavaScript | ✓ Pass |
✓ Pass |
❌ FAIL |
❌ FAIL |
✓ Pass |
✓ Pass |
✓ Pass |
| doT - JavaScript | ✓ Pass |
✓ Pass |
❌ FAIL |
❌ FAIL |
✓ Pass |
✓ Pass |
✓ Pass |
| Dust - JavaScript | ✓ Pass |
✓ Pass |
❌ FAIL |
❌ FAIL |
✓ Pass |
❌ FAIL |
✓ Pass |
| EJS - JavaScript | ✓ Pass |
✓ Pass |
❌ FAIL |
❌ FAIL |
✓ Pass |
✓ Pass |
✓ Pass |
| (Code eval) - JavaScript | ❌ FAIL |
❌ FAIL |
❌ FAIL |
❌ FAIL |
❌ FAIL |
❌ FAIL |
❌ FAIL |
| VueJs - JavaScript | ❌ FAIL |
✓ Pass |
❌ FAIL |
❌ FAIL |
✓ Pass |
❌ FAIL |
✓ Pass |
| Slim - Ruby | ✓ Pass |
✓ Pass |
❌ FAIL |
❌ FAIL |
✓ Pass |
✓ Pass |
✓ Pass |
| ERB - Ruby | ✓ Pass |
✓ Pass |
❌ FAIL |
❌ FAIL |
✓ Pass |
✓ Pass |
✓ Pass |
| (Code eval) - Ruby | ❌ FAIL |
✓ Pass |
❌ FAIL |
❌ FAIL |
❌ FAIL |
❌ FAIL |
✓ Pass |
| go - go | ✓ Pass |
✓ Pass |
❌ FAIL |
❌ FAIL |
✓ Pass |
❌ FAIL |
✓ Pass |
| Input rendered in other location | ❌ FAIL |
✓ Pass |
❌ FAIL |
❌ FAIL |
❌ FAIL |
❌ FAIL |
✓ Pass |
| Rendering result not visible to attacker | ❌ FAIL |
❌ FAIL |
❌ FAIL |
❌ FAIL |
❌ FAIL |
✓ Pass |
✓ Pass |
| Input inserted in the middle of template code math operations | ❌ FAIL |
❌ FAIL |
❌ FAIL |
❌ FAIL |
❌ FAIL |
✓ Pass |
✓ Pass |
| Non Vulnerable | ✓ Pass |
✓ Pass |
❌ FAIL |
❌ FAIL |
❌ FAIL |
❌ FAIL |
✓ Pass |
| Input inserted in the middle of template code text | ✓ Pass |
✓ Pass |
❌ FAIL |
❌ FAIL |
❌ FAIL |
❌ FAIL |
✓ Pass |
| { } Python Eval | ✓ Pass |
✓ Pass |
✓ Pass |
❌ FAIL |
✓ Pass |
✓ Pass |
✓ Pass |
| ${ } Python Eval | ✓ Pass |
✓ Pass |
✓ Pass |
❌ FAIL |
✓ Pass |
✓ Pass |
✓ Pass |
| {{ }} Python Eval | ✓ Pass |
✓ Pass |
❌ FAIL |
❌ FAIL |
✓ Pass |
✓ Pass |
✓ Pass |
| <%= %> Python Eval ERB | ✓ Pass |
✓ Pass |
❌ FAIL |
❌ FAIL |
✓ Pass |
❌ FAIL |
✓ Pass |
| #{ } Python Eval | ✓ Pass |
✓ Pass |
❌ FAIL |
❌ FAIL |
✓ Pass |
❌ FAIL |
✓ Pass |
| {{= }} Python Eval | ✓ Pass |
✓ Pass |
❌ FAIL |
❌ FAIL |
✓ Pass |
❌ FAIL |
✓ Pass |
| { } Ruby Eval | ✓ Pass |
✓ Pass |
✓ Pass |
❌ FAIL |
✓ Pass |
✓ Pass |
✓ Pass |
| ${ } Ruby Eval | ✓ Pass |
✓ Pass |
✓ Pass |
❌ FAIL |
✓ Pass |
❌ FAIL |
✓ Pass |
| {{ }} Ruby Eval YBNE Nunjucks | ✓ Pass |
✓ Pass |
❌ FAIL |
❌ FAIL |
✓ Pass |
❌ FAIL |
✓ Pass |
| <%= %> Ruby Eval Erb | ✓ Pass |
✓ Pass |
❌ FAIL |
❌ FAIL |
✓ Pass |
✓ Pass |
✓ Pass |
| #{ } Ruby Eval | ✓ Pass |
✓ Pass |
❌ FAIL |
❌ FAIL |
✓ Pass |
✓ Pass |
✓ Pass |
| {{= }} Ruby Eval | ✓ Pass |
✓ Pass |
❌ FAIL |
❌ FAIL |
✓ Pass |
❌ FAIL |
✓ Pass |
Total Passes |
29 |
34 |
7 |
1 |
27 |
18 |
38 |
Configuration
| Config | Details |
|---|---|
| Frequency | Daily |
| Scripts | https://github.com/zapbot/zap-mgmt-scripts/blob/master/scans/ssti/ |
| Action | https://github.com/zapbot/zap-mgmt-scripts/actions/workflows/zap-vs-ssti.yml |
Settings
The latest Nightly ZAP Docker image is run with the default settings against this app with no exceptions.