← Back to All Scanners
Injection AttacksCritical Severity

SSTI - FreeMarker Scanner

Identifies FreeMarker template injection in Java applications.

Try This Scanner

What is SSTI - FreeMarker?

FreeMarker Server-Side Template Injection occurs when user input is processed as part of a FreeMarker template in Java applications. FreeMarker is a popular Java template engine. SSTI vulnerabilities can allow attackers to execute arbitrary Java code, access system commands, and completely compromise the server.

Why is This Important?

FreeMarker SSTI typically leads to remote code execution because FreeMarker allows calling Java methods on objects. Many Java web applications and frameworks use FreeMarker, and a single SSTI vulnerability can give attackers full control of the server with the application's privileges.

How It Works

1. Input Discovery

Maps all user input points including forms, headers, cookies, and API parameters for injection testing.

2. Injection Testing

Executes sophisticated injection payloads designed to bypass filters and WAFs while detecting vulnerabilities.

3. Exploitation Validation

Confirms vulnerabilities through safe exploitation, providing proof-of-concept and impact assessment.

Key Capabilities

Advanced injection detection engine combining signature-based and AI-powered analysis for comprehensive coverage.

  • Multi-vector injection testing across all input types
  • WAF and filter bypass techniques built-in
  • Database-specific payload optimization
  • Out-of-band detection for blind vulnerabilities
  • Automated proof-of-concept generation

Frequently Asked Questions

How severe is FreeMarker SSTI?

FreeMarker SSTI is critical because it typically allows direct remote code execution. Attackers can access Java Runtime.getRuntime().exec() or use the Execute built-in to run system commands. This is one of the most dangerous SSTI variants.

What payloads work against FreeMarker?

Common payloads include ${"freemarker.template.utility.Execute"?new()("id")} to execute commands, accessing ObjectConstructor to instantiate arbitrary classes, or using ?api to access Java methods on objects passed to templates.

Does FreeMarker have security controls?

FreeMarker has a configurable sandbox through TemplateConfiguration and ClassResolver. Admins can restrict which classes and methods are accessible. However, these must be explicitly configured—default settings are permissive.

How do I prevent FreeMarker SSTI?

Never process user input as template content, configure strict TemplateClassResolver to block dangerous classes, disable the ?api and ?new built-ins, use a restrictive MemberAccessPolicy, keep FreeMarker updated, and audit templates for injection points.

Related Scanners

NoSQL Injection - MongoDBCritical
Learn more →
NoSQL Injection - RedisCritical
Learn more →
NoSQL Injection - CouchDBCritical
Learn more →
NoSQL Injection - CassandraCritical
Learn more →

Ready to secure your application?

Start testing for ssti - freemarker vulnerabilities today.

Get Started Free