A Survey of the Overlooked Dangers of Template Engines
Lorenzo Pisu, Davide Maiorca, Giorgio Giacinto
TL;DR
This survey tackles the problem of Remote Code Execution risks arising from Server-Side Template Injection (SSTI) across a broad set of template engines. It systematically analyzes 34 engines in eight programming languages, evaluates RCE paths, and catalogs available protections, finding that 31 engines permit or have permitted RCE while only a minority employ robust defenses (sandboxes being the most common but often unreliable). By collating real-world SSTI CVEs and bug-bounty reports, and contrasting detection tools like Tplmap and ZAP-Esup, the study highlights gaps in current defenses and the need for cross-language, automated detection and hardening. The work also offers a nuanced taxonomy of RCE paths, discusses sandbox evasion (including template escapes), and provides concrete examples of multiple engines to illustrate practical risk and defense considerations. The findings stress the practical impact for developers and security practitioners and call for automated, language-agnostic approaches to assess and mitigate SSTI/RCE risks in modern web applications.
Abstract
Template engines play a pivotal role in modern web application development, facilitating the dynamic rendering of content, products, and user interfaces. Nowadays, template engines are essential in any website that deals with dynamic data, from e-commerce platforms to social media. However, their widespread use also makes them attractive targets for attackers seeking to exploit vulnerabilities and gain unauthorized access to web servers. This paper presents a comprehensive survey of template engines, focusing on their susceptibility to Remote Code Execution (RCE) attacks, a critical security concern in web application development.