Skip to content

Server Side Template Injection - ASP.NET

Server-Side Template Injection (SSTI) is a class of vulnerabilities where an attacker can inject malicious input into a server-side template, causing the template engine to execute arbitrary code on the server. In the context of ASP.NET, SSTI can occur if user input is directly embedded into a template (such as Razor, ASPX, or other templating engines) without proper sanitization.

Summary

ASP.NET Razor

Official website

Razor is a markup syntax that lets you embed server-based code (Visual Basic and C#) into web pages.

ASP.NET Razor - Basic Injection

@(1+2)

ASP.NET Razor - Command Execution

@{
  // C# code
}

References