Overview
Basic SSTI focuses on a PHP-based application that renders user-controlled input through a server-side template engine.
This lab introduces Server-Side Template Injection through template rendering, where user input can cross from ordinary text into a code-aware template context.
Security Impact
SSTI can lead to sensitive data exposure, template logic manipulation, server-side execution paths, or broader application compromise depending on the engine, configuration, and available runtime features.
Vulnerability Scope
Email templates, CMS pages, report generators, theme editors, notification systems, and custom template features are exposed when user-controlled data is mixed into server-rendered templates.
Lab Focus
The lab focuses on template-rendered input, the difference between data interpolation and template evaluation, and why user content must stay separate from template code.