reddit hackernews mail facebook facebook linkedin


Automatic SSTI detection tool with interactive interface.

SSTImap is a penetration testing software that can check websites for Code Injection and Server-Side Template Injection vulnerabilities and exploit them, giving access to the operating system itself. This tool was developed to be used as an interactive penetration testing tool for SSTI detection and exploitation, which allows more advanced exploitation.

SSTImap supports multiple template engines and eval()-like injections:
- Mako
- Jinja2
- Python (code eval)
- Tornado
- Nunjucks
- Pug
- doT
- Marko
- JavaScript (code eval)
- Dust
- Ruby (code eval)
- Slim
- Smarty (unsecured)
- Smarty (secured)
- PHP (code eval)
- Twig
- Freemarker
- Velocity
- Twig
- Dust