← Back to All Scanners
Injection AttacksCritical Severity

SSTI - Twig Scanner

Detects template injection in PHP Twig templates.

Try This Scanner

What is SSTI - Twig?

Twig Server-Side Template Injection occurs when user input is unsafely incorporated into Twig templates in PHP applications. Twig is Symfony's default template engine and widely used in PHP projects. Attackers can exploit SSTI to access PHP objects, read files, and potentially execute arbitrary code on the server.

Why is This Important?

Twig SSTI can lead to information disclosure, arbitrary file reading, and remote code execution in PHP applications. Many PHP frameworks and CMS platforms use Twig, making this vulnerability type widespread. The rich feature set of Twig provides multiple avenues for exploitation.

How It Works

1. Input Discovery

Maps all user input points including forms, headers, cookies, and API parameters for injection testing.

2. Injection Testing

Executes sophisticated injection payloads designed to bypass filters and WAFs while detecting vulnerabilities.

3. Exploitation Validation

Confirms vulnerabilities through safe exploitation, providing proof-of-concept and impact assessment.

Key Capabilities

Advanced injection detection engine combining signature-based and AI-powered analysis for comprehensive coverage.

  • Multi-vector injection testing across all input types
  • WAF and filter bypass techniques built-in
  • Database-specific payload optimization
  • Out-of-band detection for blind vulnerabilities
  • Automated proof-of-concept generation

Frequently Asked Questions

How do attackers exploit Twig SSTI?

Attackers inject Twig syntax like {{7*7}} to confirm SSTI, then use filters like |filter() and functions to access PHP internals. Payloads often leverage _self.env to access the Environment object, which provides paths to dangerous functions.

What can be achieved with Twig SSTI?

Depending on configuration, attackers can read arbitrary files, enumerate server information, access environment variables, and in some configurations achieve remote code execution through PHP functions or custom Twig extensions.

Does Twig's sandbox mode prevent SSTI exploitation?

Twig's sandbox mode restricts available tags, filters, and functions, but must be properly configured. Default sandbox settings may still allow dangerous operations. Sandbox escapes have been found in the past, so it's not a complete solution.

How do I prevent Twig SSTI?

Never render user input as a Twig template, always use predefined templates with variables, enable and properly configure Twig's sandbox for any user-influenced templates, keep Twig updated, and review custom extensions for security issues.

Related Scanners

NoSQL Injection - MongoDBCritical
Learn more →
NoSQL Injection - RedisCritical
Learn more →
NoSQL Injection - CouchDBCritical
Learn more →
NoSQL Injection - CassandraCritical
Learn more →

Ready to secure your application?

Start testing for ssti - twig vulnerabilities today.

Get Started Free