FastAPI with Jinja2 SSTI Vulnerable Lab

This repository provides a simple example of a FastAPI application with a Server-Side Template Injection (SSTI) vulnerability using Jinja2's from_string method.

Prerequisites

Python 3.7 or later
pip package manager

Installation

Clone this repository:

git clone https://github.com/TheWation/PythonSSTI.git
cd PythonSSTI

Install the required dependencies:

pip install -r requirements.txt

Run the FastAPI Application

Run the FastAPI application with the following command:

uvicorn main:app --reload

The application will be running at http://127.0.0.1:8000/.

Test SSTI Vulnerability

Access the application in your browser or through tools like curl or Postman, providing the username parameter in the query string. For example:

http://127.0.0.1:8000/?username={{ 10 * 10 }}

Replace "test" with the payload you want to inject for testing SSTI.

Disclaimer

This application is intentionally vulnerable to demonstrate Server-Side Template Injection. Do not use it in a production environment.

License

PythonSSTI is made with ♥ by Wation and it's released under the MIT license.

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
.gitignore		.gitignore
CODE_OF_CONDUCT.md		CODE_OF_CONDUCT.md
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE.md		LICENSE.md
README.md		README.md
main.py		main.py
requirements.txt		requirements.txt

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

FastAPI with Jinja2 SSTI Vulnerable Lab

Prerequisites

Installation

Run the FastAPI Application

Test SSTI Vulnerability

Disclaimer

License

About

Languages

License

TheWation/PythonSSTI

Folders and files

Latest commit

History

Repository files navigation

FastAPI with Jinja2 SSTI Vulnerable Lab

Prerequisites

Installation

Run the FastAPI Application

Test SSTI Vulnerability

Disclaimer

License

About

Topics

Resources

License

Code of conduct

Stars

Watchers

Forks

Languages