| Template Engine | Language | Syntax Example | Common Use Case | SSTI Risk | Notes |
|---|---|---|---|---|---|
| Jinja2 | Python | {{ 7*7 }} |
Flask apps | ✅ High | Most common SSTI in CTFs |
| Django Templates | Python | {{ var }}, {% block %} |
Django framework | ⚠️ Medium | Limited expression support |
| Twig | PHP | {{ var }}, {% if %} |
Laravel, Symfony | ✅ High | Inspired by Jinja2 |
| Smarty | PHP | {$var} |
Older PHP apps | ✅ High | Can access PHP functions |
| Blade | PHP | {{ var }}, @if() |
Laravel | ⚠️ Low | Escapes by default, but bypasses exist |
| Velocity | Java | $var, #if() |
Apache Velocity | ✅ High | Java class access possible |
| FreeMarker | Java | ${var} |
Java web apps | ✅ High | Also allows Java method access |
| Thymeleaf | Java | th:text="${var}" |
Spring Boot | ⚠️ Medium | Safer by design, but misuse possible |
| EJS | JavaScript | <%= var %> |
Express apps (Node.js) | ⚠️ Low | Mostly client-safe, but XSS possible |
| Pug (Jade) | JavaScript | #{var} or != var |
Node.js (Express) | ⚠️ Low | Escapes by default |
| Handlebars | JavaScript | {{var}}, {{#if}} |
Frontend, Node.js | ⚠️ Medium | SSTI via prototype pollution possible |
| Mustache | JS, Go, etc. | {{var}} |
Lightweight templating | ⚠️ Low | Logic-less, safer by design |
| Razor | C# / ASP.NET | @Model.Property |
ASP.NET MVC | ⚠️ Medium | Can be dangerous in rare cases |
| Liquid | Ruby/JS/etc. | {{ var }}, {% if %} |
Shopify, Jekyll | ⚠️ Low | Sandboxed, safer than Jinja2 |