> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/vulnerability-discovery/trick-0402.md).

# Identify SSTI Vulnerability

***

Inject a simple mathematical expression like `{{7*7}}` into user-supplied input fields on a web application. If a Server-Side Template Injection vulnerability exists, the template engine will evaluate the expression.

For instance, if the output on the page changes to display `49` where your input was reflected, it confirms the presence and evaluation of a template expression:

```jinja
{{7*7}}
```

Observing the evaluated output confirms a template engine is processing the input, strongly indicating a potential SSTI vulnerability.

Different template engines may respond differently to specific payloads. For example, while `{{7*7}}` might evaluate correctly in one engine, another might require a slightly different syntax or produce an error. A useful test payload to try alongside `{{7*7}}` is `{{7*'7'}}`. The response to this payload can often help identify the specific template engine being used. If the output is `49`, it suggests the engine evaluated the expression as a mathematical operation. If the output is `7777777` (seven sevens), it indicates string concatenation, a behavior seen in some template engines like Twig. Testing with a variety of simple expressions like these helps confirm the vulnerability and potentially fingerprint the underlying template technology.
