Skip to content

TheWation/PythonSSTI

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits

.gitignore

.gitignore

 
 

CODE_OF_CONDUCT.md

CODE_OF_CONDUCT.md

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

LICENSE.md

LICENSE.md

 
 

README.md

README.md

 
 

main.py

main.py

 
 

requirements.txt

requirements.txt

 
 

Repository files navigation

FastAPI with Jinja2 SSTI Vulnerable Lab

made-with-python built-with-love

This repository provides a simple example of a FastAPI application with a Server-Side Template Injection (SSTI) vulnerability using Jinja2's from_string method.

Prerequisites

  • Python 3.7 or later
  • pip package manager

Installation

  1. Clone this repository:
git clone https://github.com/TheWation/PythonSSTI.git
cd PythonSSTI
  1. Install the required dependencies:
pip install -r requirements.txt

Run the FastAPI Application

Run the FastAPI application with the following command:

uvicorn main:app --reload

The application will be running at http://127.0.0.1:8000/.

Test SSTI Vulnerability

Access the application in your browser or through tools like curl or Postman, providing the username parameter in the query string. For example:

http://127.0.0.1:8000/?username={{ 10 * 10 }}

Replace "test" with the payload you want to inject for testing SSTI.

Disclaimer

This application is intentionally vulnerable to demonstrate Server-Side Template Injection. Do not use it in a production environment.

License

PythonSSTI is made with ♥ by Wation and it's released under the MIT license.

About

FastAPI app with Jinja2 SSTI vulnerability example to demonstrate security risks in web applications.

Topics

python jinja2 ssti server-side-template-injection

Resources

Readme

License

MIT license

Code of conduct

Code of conduct
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Languages