Server-side template injection is a 2010s-era web bug class that the LLM era inherited unchanged. This week you reproduce a generic Jinja2 SSTI in a Flask app so the LangChain-specific reproduction in Module 4 lands on understood ground.
Reading
- Stuttard and Pinto, WAHH, Chapters 8 to 9 (SSTI and template-injection deep dive). Roughly fifty pages. Critical reading.
- Yaworski, Real-World Bug Hunting, the SSTI chapter. Roughly twenty pages.
- PortSwigger SSTI cheatsheet, the canonical web reference.
- Flask official docs, the Jinja2 template integration section.
Lecture
Roughly three hours across two sessions. Key arc:
- Server-side template injection (SSTI). The Stuttard and Pinto WAHH definition.
- Why Jinja2 SSTI fires. User input reaches the template renderer as code, not as data.
- The canonical payload library:
{{7*7}}all the way through to RCE. - Reading a Flask view function and identifying where the template gets rendered with user-controlled input.
- Why every modern Python framework keeps the SSTI surface open by default. The performance versus safety trade.
Lab pack
Lab Pack 3 reproduces the generic Jinja2 SSTI in Flask. See Lab Pack 3.
Tools you will use
- Flask installed in a clean virtualenv (pinned in cohort-shared lab-3 requirements).
- Burp Suite Community to inject payloads into the form fields.
- Your browser's developer-tools network panel as a backup intercept.
OWASP LLM and ASI anchor
Generic Jinja2 SSTI in Flask is the canonical example of OWASP Web Top 10 A03 Injection. CVE-2025-65106 maps to OWASP LLM Top 10 LLM01 (Prompt Injection). The same mechanism, two different OWASP taxonomies, two different application domains.
Reflection prompts
- Why does
{{7*7}}return49in a vulnerable Flask app? - If the developer had used Jinja2's StrictUndefined or sandboxed environment, would the bug still fire?
- What is the smallest change to the Flask view function that closes the SSTI surface?
What is next
Module 4 takes everything you just learned about generic Jinja2 SSTI and points it at the LangChain prompt-template layer. The signature lab of the course.