This repository provides an example Express application using Pug templates to illustrate Server-Side Template Injection (SSTI) vulnerabilities and a safe implementation.
- Clone this repository:
git clone https://github.com/TheWation/NodeJsSSTI.git
cd NodeJsSSTI- Install dependencies:
npm installStart the Express application:
npm startThe application will be running at http://localhost:8000/.
Visit the application in your browser or through tools like curl or Postman, providing the username parameter in the query string. For example:
http://localhost:8000/?username=%23{10 * 10}
Output:
Welcome 100!
Note: The default implementation is vulnerable to SSTI.
To test the safe implementation, uncomment the safe template string and comment out the vulnerable one in the app.get route handler in index.js. Restart the application:
npm startVisit the application again with different username parameters to observe the difference.
This application is intentionally vulnerable to demonstrate SSTI. Do not use it in a production environment. Always validate and sanitize user input.
NodeJsSSTI is made with ♥ by Wation and it's released under the MIT license.