Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Burp Suite Professional and Community editions Burp Suite Enterprise Edition
Burp Scanner Burp Collaborator
Burp Infiltrator Full Documentation Contents

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
  1. Support Center
  2. Issue Definitions
  3. Server-side template injection

Server-side template injection

Description: Server-side template injection

Server-side template injection occurs when user input is unsafely embedded into a server-side template, allowing users to inject template directives. Using malicious template directives, an attacker may be able to execute arbitrary code and take full control of the web server.

The severity of this issue varies depending on the type of template engine being used. Template engines range from being trivial to almost impossible to exploit. The following steps should be used when attempting to develop an exploit:

  • Identify the type of template engine being used.
  • Review its documentation for basic syntax, security considerations, and built-in methods and variables.
  • Explore the template environment and map the attack surface.
  • Audit every exposed object and method.

Template injection vulnerabilities can be very serious and can lead to complete compromise of the application's data and functionality, and often of the server that is hosting the application. It may also be possible to use the server as a platform for further attacks against other systems. On the other hand, some template injection vulnerabilities may pose no significant security risk.

Remediation: Server-side template injection

Wherever possible, avoid creating templates from user input. Passing user input into templates as parameters is normally a safe alternative.

If supporting user-submitted templates is a business requirement, consider using a simple logic-less template engine such as Mustache or one provided by the native language like Python's Template. If this is not an option, review the chosen template engine's documentation for hardening advice, and consider rendering the template within a sandboxed execution environment.


For further information on the exploitation process and generic exploits for some popular template engines, please refer to the original PortSwigger blog post.

Other references:

Vulnerability classifications

Typical severity


Type index


Burp Scanner

Burp Scanner

This issue - and many more like it - can be found using our web vulnerability scanner

Read more
Get Burp

Get Burp

Scan your web application from just $399.00

Find out more