The Template Injection Table is intended to help during the testing of an application for template injection vulnerabilities. It was developed by Hackmanit and Maximilian Hildebrand.
The table consists of so-called "polyglots" that can be used to detect template injection possibilities and identify which template engine is used by an application.
If you're not familiar with template injection or the template injection methodology, take a look at our blog post about template injection: Template Injection Vulnerabilities – Understand, Detect, Identify
To make the detection of template injection possibilities and identification of template engines as efficient as possible, we have created polyglots based on the 44 most relevant template engines (as of September 2023). This table presents these and other polyglots along with the responses from the 44 template engines to these polyglots.
The table can be used in the following manner:
-
Detection: First, use the first universal error-based polyglot
<%'${{/#{@}}%>{{
. This will cause all tested template engines to throw an error. However, if the web application catches these errors and there is no change in behavior, then the error-based polyglots do not provide any information. In this case, the three universal non-error-based polyglots can be used as long as the user input is reflected. Together they ensure that the user input is rendered at least once in each of the template engines tested. If the input length is very limited and the universal polyglots are too long, the language-specific polyglots can be used instead. -
Identification: To verify template injection and identify the template engine used by the application, use the remaining polyglots and filter for the response returned until only one template engine remains. As long as the user input is reflected, the non-error-based polyglots are usually more effective at weeding out the remaining template engines.
Simply access https://cheatsheet.hackmanit.de/template-injection-table to use the table as described in How to Use the Template Injection Table?. There is no need to download this repository unless you want to use or modify the table locally.
A blog post providing more information about template injection and TInjA – the Template INJection Analyzer can be found here:
Template Injection Vulnerabilities – Understand, Detect, Identify
The Template Injection Table was developed as a part of a master's thesis by Maximilian Hildebrand. You can find results of the master's thesis publicly available here:
- Template Injection Table
- Template Injection Playground
- TInjA – the Template INJection Analyzer
- Master's Thesis (PDF)
The Template Injection Table was developed by Hackmanit and Maximilian Hildebrand as a part of his master's thesis. The Template Injection Table is licensed under the Apache License, Version 2.0.