This repository provides a simple example of a FastAPI application with a Server-Side Template Injection (SSTI) vulnerability using Jinja2's from_string method.
- Python 3.7 or later
pippackage manager
- Clone this repository:
git clone https://github.com/TheWation/PythonSSTI.git
cd PythonSSTI- Install the required dependencies:
pip install -r requirements.txt
Run the FastAPI application with the following command:
uvicorn main:app --reloadThe application will be running at http://127.0.0.1:8000/.
Access the application in your browser or through tools like curl or Postman, providing the username parameter in the query string. For example:
http://127.0.0.1:8000/?username={{ 10 * 10 }}
Replace "test" with the payload you want to inject for testing SSTI.
This application is intentionally vulnerable to demonstrate Server-Side Template Injection. Do not use it in a production environment.
PythonSSTI is made with ♥ by Wation and it's released under the MIT license.