Template Injection Table
If you're not familiar with template injection or the template injection methodology, take a look at our blog post about template injection: Template Injection Vulnerabilities – Understand, Detect, Identify
To make the detection of template injection possibilities and identification of template engines as efficient as possible, we have created polyglots based on the 44 most relevant template engines (as of September 2023). This table presents these and other polyglots along with the responses from the 44 template engines to these polyglots.
The table can be used in the following manner:
1. Detection
First, use the first universal error-based polyglot <%'${{/#{@}}%>{{. This will cause all tested template engines to throw an error. However, if the web application catches these errors and there is no change in behavior, then the error-based polyglots do not provide any information. In this case, the three universal non-error-based polyglots can be used as long as the user input is reflected. Together they ensure that the user input is rendered at least once in each of the template engines tested. If the input length is very limited and the universal polyglots are too long, the language-specific polyglots can be used instead.
2. Identification
To verify template injection and identify the template engine used by the application, use the remaining polyglots and filter for the response returned until only one template engine remains. As long as the user input is reflected, the non-error-based polyglots are usually more effective at weeding out the remaining template engines.