← Back to All Scanners
Injection AttacksCritical Severity

SSTI - Velocity Scanner

Tests for Apache Velocity template injection.

Try This Scanner

What is SSTI - Velocity?

Apache Velocity Server-Side Template Injection occurs when attackers can inject Velocity Template Language (VTL) directives into templates. Velocity is widely used in Java applications, especially older enterprise systems. SSTI allows attackers to execute Java methods and system commands through the template engine.

Why is This Important?

Velocity SSTI is dangerous because it allows calling arbitrary Java methods on objects. Many legacy Java applications and frameworks still use Velocity. The relatively simple VTL syntax makes exploitation straightforward once an injection point is found, typically leading to complete server compromise.

How It Works

1. Input Discovery

Maps all user input points including forms, headers, cookies, and API parameters for injection testing.

2. Injection Testing

Executes sophisticated injection payloads designed to bypass filters and WAFs while detecting vulnerabilities.

3. Exploitation Validation

Confirms vulnerabilities through safe exploitation, providing proof-of-concept and impact assessment.

Key Capabilities

Advanced injection detection engine combining signature-based and AI-powered analysis for comprehensive coverage.

  • Multi-vector injection testing across all input types
  • WAF and filter bypass techniques built-in
  • Database-specific payload optimization
  • Out-of-band detection for blind vulnerabilities
  • Automated proof-of-concept generation

Frequently Asked Questions

How do attackers exploit Velocity SSTI?

Attackers inject VTL like #set($x=1+1) to confirm SSTI, then use object methods to access Runtime.getRuntime().exec(). Common payloads access the class loader to instantiate ProcessBuilder or Runtime for command execution.

What makes Velocity particularly vulnerable?

Velocity allows calling any public method on objects in the context. If common objects like strings or lists are available, attackers can chain getClass().forName() to load arbitrary classes. Default configurations rarely restrict method access.

Can Velocity's SecureUberspector prevent exploitation?

SecureUberspector and SecureIntrospector can restrict method access, but they must be explicitly configured. They block access to certain methods and classes but have been bypassed in the past. Defense in depth is essential.

How do I prevent Velocity SSTI?

Never include user input in template source, configure SecureUberspector to restrict method access, minimize objects in the Velocity context, use an allowlist of accessible methods, consider migrating to a more secure template engine, and keep Velocity updated.

Related Scanners

NoSQL Injection - MongoDBCritical
Learn more →
NoSQL Injection - RedisCritical
Learn more →
NoSQL Injection - CouchDBCritical
Learn more →
NoSQL Injection - CassandraCritical
Learn more →

Ready to secure your application?

Start testing for ssti - velocity vulnerabilities today.

Get Started Free