← Back to All Scanners
Injection AttacksCritical Severity

SSTI - Pebble Scanner

Detects Pebble template engine injection vulnerabilities.

Try This Scanner

What is SSTI - Pebble?

Pebble Template Engine Injection occurs when user input is unsafely incorporated into Pebble templates in Java applications. Pebble is designed as a secure alternative to other Java template engines, but misuse can still lead to SSTI vulnerabilities that allow attackers to access Java objects and potentially execute code.

Why is This Important?

While Pebble has more security controls than older template engines, it's not immune to SSTI. Exploitation can lead to information disclosure, accessing sensitive objects, and in some configurations remote code execution. Pebble's growing popularity makes it an increasing target for attackers.

How It Works

1. Input Discovery

Maps all user input points including forms, headers, cookies, and API parameters for injection testing.

2. Injection Testing

Executes sophisticated injection payloads designed to bypass filters and WAFs while detecting vulnerabilities.

3. Exploitation Validation

Confirms vulnerabilities through safe exploitation, providing proof-of-concept and impact assessment.

Key Capabilities

Advanced injection detection engine combining signature-based and AI-powered analysis for comprehensive coverage.

  • Multi-vector injection testing across all input types
  • WAF and filter bypass techniques built-in
  • Database-specific payload optimization
  • Out-of-band detection for blind vulnerabilities
  • Automated proof-of-concept generation

Frequently Asked Questions

Is Pebble safer than other template engines?

Pebble has better security defaults than FreeMarker or Velocity. It uses a restrictive type check system by default. However, these protections can be weakened by configuration, and creative attackers have found bypasses in certain versions.

What exploitation techniques work on Pebble?

Attackers typically try to access exposed Java objects' methods, use the beans extension if enabled, or exploit custom extensions. Payloads often involve chaining method calls to reach dangerous classes like Runtime or ProcessBuilder.

What security features does Pebble offer?

Pebble restricts access to certain methods by default, has configurable method access policies, supports sandboxing, and allows customizing which attributes and methods are accessible. These must be properly maintained as the application evolves.

How do I prevent Pebble SSTI?

Never compile user input as templates, use strict output escaping, keep restrictive default security settings, carefully audit any custom extensions, minimize objects exposed to templates, and keep Pebble updated to the latest version.

Related Scanners

NoSQL Injection - MongoDBCritical
Learn more →
NoSQL Injection - RedisCritical
Learn more →
NoSQL Injection - CouchDBCritical
Learn more →
NoSQL Injection - CassandraCritical
Learn more →

Ready to secure your application?

Start testing for ssti - pebble vulnerabilities today.

Get Started Free