Classroom Glossary Public page

Week 3: Jinja2 SSTI, the Bug Class

Server-side template injection is a 2010s-era web bug class that the LLM era inherited unchanged. This week you reproduce a generic Jinja2 SSTI in a Flask app so the LangChain-specific reproduction in Module 4 lands on understood ground.


Reading

  • Stuttard and Pinto, WAHH, Chapters 8 to 9 (SSTI and template-injection deep dive). Roughly fifty pages. Critical reading.
  • Yaworski, Real-World Bug Hunting, the SSTI chapter. Roughly twenty pages.
  • PortSwigger SSTI cheatsheet, the canonical web reference.
  • Flask official docs, the Jinja2 template integration section.

Lecture

Roughly three hours across two sessions. Key arc:

  • Server-side template injection (SSTI). The Stuttard and Pinto WAHH definition.
  • Why Jinja2 SSTI fires. User input reaches the template renderer as code, not as data.
  • The canonical payload library: {{7*7}} all the way through to RCE.
  • Reading a Flask view function and identifying where the template gets rendered with user-controlled input.
  • Why every modern Python framework keeps the SSTI surface open by default. The performance versus safety trade.

Lab pack

Lab Pack 3 reproduces the generic Jinja2 SSTI in Flask. See Lab Pack 3.

Tools you will use

  • Flask installed in a clean virtualenv (pinned in cohort-shared lab-3 requirements).
  • Burp Suite Community to inject payloads into the form fields.
  • Your browser's developer-tools network panel as a backup intercept.

OWASP LLM and ASI anchor

Generic Jinja2 SSTI in Flask is the canonical example of OWASP Web Top 10 A03 Injection. CVE-2025-65106 maps to OWASP LLM Top 10 LLM01 (Prompt Injection). The same mechanism, two different OWASP taxonomies, two different application domains.

Reflection prompts

  1. Why does {{7*7}} return 49 in a vulnerable Flask app?
  2. If the developer had used Jinja2's StrictUndefined or sandboxed environment, would the bug still fire?
  3. What is the smallest change to the Flask view function that closes the SSTI surface?

What is next

Module 4 takes everything you just learned about generic Jinja2 SSTI and points it at the LangChain prompt-template layer. The signature lab of the course.