SSTI.bcheck

metadata:
	language: v1-beta
	name: "SSTI"
	description: "Server-side template injection (SSTI)"
	author: "MrW0l05zyn"
	tags: "ssti"

run for each:
	payloads =
		"{1234*2}",
		"{1234+1234}",
		"%{1234*2}",
		"%{1234+1234}",
		"<%= 1234*2 %>",
		"<%= 1234+1234 %>",
		"${1234*2}",
		"${1234+1234}",
		"{{1234*2}}",
		"{{1234+1234}}",
		"#{1234*2}",
		"#{1234+1234}",
		"@{1234*2}",
		"@{1234+1234}",
		"@(1234*2)",
		"@(1234+1234)"

given any insertion point then

    if not({base.response} matches "2468|2\,468|2\.468|\<2468\>") then
        send payload:
            appending: {payloads}
        send payload:
            replacing: {payloads}

		if {latest.response} matches "2468|2\,468|2\.468|\<2468\>" then
			report issue:
			    severity: high
			    confidence: tentative
			    detail: "Server-side template injection (SSTI)"
        end if
    end if