Skip to content

Server Side Template Injection Analyzer

Configuration Name: SstInjection

Description

Server Side Template Injection analyzer detects injection attack vulnerabilities in an API by issuing requests that contain template engine attack vectors. An application is vulnerable to injection attacks if it does not properly validate, filter, or sanitize input strings in a request. This can be exploited by an attacker by sending attack vectors in a request. OWASP classifies Injection as #8 in its API Security Top 10 (API8:2019).

Faults Reported

Fault Identifier Title Summary Solution Severity
CWE-20 Improper Input Validation The application either does not validate input data or incorrectly validates that the input may be processed safely and correctly. Application should sanitize inputs and respond with a client error for invalid input data. medium
CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine The application does not properly validate or sanitize input data that is used in a template expression that is processed by the application. The application should sanitize inputs and respond with a client error for invalid input data. medium