{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,20]],"date-time":"2026-05-20T10:08:33Z","timestamp":1779271713628,"version":"3.51.4"},"reference-count":65,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2026,5,20]],"date-time":"2026-05-20T00:00:00Z","timestamp":1779235200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"funder":[{"name":"SERICS","award":["PE00000014"],"award-info":[{"award-number":["PE00000014"]}]},{"name":"EU - NGEU"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Web"],"published-print":{"date-parts":[[2026,5,31]]},"abstract":"<jats:p>Template engines play a pivotal role in modern web application development by enabling the dynamic rendering of content, products, and user interfaces. Today, they are essential for any website that handles dynamic data, from e-commerce to social media. However, their widespread adoption also makes them attractive targets for attackers seeking to exploit vulnerabilities and gain unauthorized access to web servers.<\/jats:p>\n                  <jats:p>This article presents a comprehensive assessment of the risks associated with template engines, with a particular focus on the consequences of Server-Side Template Injection (SSTI) and the ease with which such vulnerabilities can escalate to Remote Code Execution (RCE), a critical security concern in web application development.<\/jats:p>","DOI":"10.1145\/3799796","type":"journal-article","created":{"date-parts":[[2026,2,26]],"date-time":"2026-02-26T11:40:43Z","timestamp":1772106043000},"page":"1-31","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["An Assessment of the Overlooked Dangers of Template Engines"],"prefix":"10.1145","volume":"20","author":[{"ORCID":"https:\/\/orcid.org\/0009-0001-0129-1976","authenticated-orcid":false,"given":"Lorenzo","family":"Pisu","sequence":"first","affiliation":[{"name":"University of Cagliari","place":["Cagliari, Italy"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2640-4663","authenticated-orcid":false,"given":"Davide","family":"Maiorca","sequence":"additional","affiliation":[{"name":"University of Cagliari","place":["Cagliari, Italy"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5759-3017","authenticated-orcid":false,"given":"Giorgio","family":"Giacinto","sequence":"additional","affiliation":[{"name":"University of Cagliari","place":["Cagliari, Italy"]},{"name":"National Interuniversity Consortium for Informatics","place":["Cagliari, Italy"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2026,5,20]]},"reference":[{"key":"e_1_3_1_2_2","unstructured":"Apache. 2015. Apache freemarker. Retrieved from https:\/\/github.com\/apache\/freemarker"},{"key":"e_1_3_1_3_2","unstructured":"Apache. 2013. Apache velocity engine. Retrieved from https:\/\/github.com\/apache\/velocity-engine"},{"key":"e_1_3_1_4_2","unstructured":"The Go Authors. 2012. Golang html\/template package. Retrieved from https:\/\/pkg.go.dev\/html\/template"},{"key":"e_1_3_1_5_2","first-page":"50","volume-title":"International Conference on Cyber Security and Computer Science (ICONCS 2018)","author":"Biswas S.","year":"2018","unstructured":"S. Biswas, M. Sohel, M. M. Sajal, T. Afrin, T. Bhuiyan, and M. M. Hassan. 2018. A study on remote code execution vulnerability in web applications. In International Conference on Cyber Security and Computer Science (ICONCS 2018). 50\u201357."},{"key":"e_1_3_1_6_2","unstructured":"Malthe Borch. 2014. Chameleon. https:\/\/github.com\/malthe\/chameleon"},{"key":"e_1_3_1_7_2","unstructured":"Boris Moore. 2011. JsRender. Retrieved from https:\/\/github.com\/BorisMoore\/jsrender"},{"issue":"3","key":"e_1_3_1_8_2","doi-asserted-by":"crossref","first-page":"255","DOI":"10.1109\/TDSC.2008.58","article-title":"On the general applicability of instruction-set randomization","volume":"7","author":"Boyd Stephen W.","year":"2008","unstructured":"Stephen W. Boyd, Gaurav S. Kc, Michael E. Locasto, Angelos D. Keromytis, and Vassilis Prevelakis. 2008. On the general applicability of instruction-set randomization. IEEE Transactions on Dependable and Secure Computing 7, 3 (2008), 255\u2013270.","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"e_1_3_1_9_2","unstructured":"Oleg Broytman and Tavis Rudd. 2009. Cheetah template engine. Retrieved from https:\/\/github.com\/rtyler\/cheetah"},{"key":"e_1_3_1_10_2","unstructured":"CheetahTemplate3. 2017. cheetah3. https:\/\/github.com\/CheetahTemplate3\/cheetah3"},{"key":"e_1_3_1_11_2","unstructured":"Marko community. 2014. Marko. https:\/\/github.com\/marko-js\/marko"},{"key":"e_1_3_1_12_2","unstructured":"The MITRE corporation. 1999. CVE: Common vulnerabilities and exposures (CVE)."},{"key":"e_1_3_1_13_2","volume-title":"ZAP-ESUP: ZAP Efficient Scanner for Server Side Template Injection Using Polyglots","author":"Silva Diogo Campos da","year":"2018","unstructured":"Diogo Campos da Silva. 2018. ZAP-ESUP: ZAP Efficient Scanner for Server Side Template Injection Using Polyglots."},{"key":"e_1_3_1_14_2","unstructured":"Django software foundation. 2012. Django."},{"key":"e_1_3_1_15_2","unstructured":"Microsoft. 2002. ASP.NET."},{"key":"e_1_3_1_16_2","unstructured":"Microsoft. 2010. Razor."},{"key":"e_1_3_1_17_2","unstructured":"Edgewall software. 2011. Genshi. Retrieved from https:\/\/github.com\/edgewall\/genshi"},{"key":"e_1_3_1_18_2","doi-asserted-by":"crossref","unstructured":"Ben Gubler. 2017. SquirrellyJS.","DOI":"10.5465\/AMBPP.2017.233"},{"key":"e_1_3_1_19_2","unstructured":"HackerOne. 2012. Hackerone bug bounty platform."},{"key":"e_1_3_1_20_2","unstructured":"handlebars-lang. 2010. Handlebars."},{"issue":"6","key":"e_1_3_1_21_2","first-page":"732","article-title":"Success rate of remote code execution attacks: Expert assessments and observations","volume":"18","author":"Holm Hannes","year":"2012","unstructured":"Hannes Holm, Teodor Sommestad, Ulrik Franke, and Mathias Ekstedt. 2012. Success rate of remote code execution attacks: Expert assessments and observations. Journal of Universal Computer Science (Online) 18, 6 (2012), 732\u2013749.","journal-title":"Journal of Universal Computer Science (Online)"},{"key":"e_1_3_1_22_2","unstructured":"HubSpot. 2014. Jinjava."},{"key":"e_1_3_1_23_2","doi-asserted-by":"publisher","DOI":"10.1145\/948109.948146"},{"key":"e_1_3_1_24_2","article-title":"Server-side template injection: RCE for the modern webapp","author":"Kettle James","year":"2015","unstructured":"James Kettle. 2015. Server-side template injection: RCE for the modern webapp. Black Hat USA (2015). https:\/\/blackhat.com\/docs\/us-15\/materials\/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf","journal-title":"Black Hat USA"},{"key":"e_1_3_1_25_2","unstructured":"Vladimir Kharlampidi. 2014. Template7. Retrieved from https:\/\/github.com\/nolimits4web\/template7"},{"key":"e_1_3_1_26_2","unstructured":"Roland Koebler. 2013. Pyratemp. Retrieved from https:\/\/www.simple-is-better.org\/template\/pyratemp.html"},{"key":"e_1_3_1_27_2","unstructured":"Laravel. 2011. Laravel."},{"key":"e_1_3_1_28_2","unstructured":"LinkedIn. 2012. dustjs."},{"key":"e_1_3_1_29_2","volume-title":"chameleon","unstructured":"malthe. [n.d.]. chameleon."},{"key":"e_1_3_1_30_2","doi-asserted-by":"crossref","unstructured":"Azat Mardan. 2018. Template engines: Pug and handlebars. In Practical Node. js: Building Real-World Scalable Web Apps. Springer 113\u2013163.","DOI":"10.1007\/978-1-4842-3039-8_4"},{"key":"e_1_3_1_31_2","unstructured":"Marko community. 2014. Marko."},{"key":"e_1_3_1_32_2","unstructured":"mde. 2014. EJS."},{"key":"e_1_3_1_33_2","unstructured":"Mojolicious. 2010. Mojo."},{"key":"e_1_3_1_34_2","unstructured":"Mozilla. 2012. Nunjucks. Retrieved from https:\/\/github.com\/mozilla\/nunjucks"},{"key":"e_1_3_1_35_2","volume-title":"Smarty Documentation","author":"Group Inc. New Digital","unstructured":"Inc. New Digital Group. [n.d.]. Smarty Documentation."},{"key":"e_1_3_1_36_2","unstructured":"New digital group Inc. 2014. Smarty."},{"key":"e_1_3_1_37_2","unstructured":"olado. 2011. doT."},{"key":"e_1_3_1_38_2","unstructured":"Jens Segers. 2018. Blade templates."},{"key":"e_1_3_1_39_2","unstructured":"Taylor Otwell. 2011. Laravel."},{"key":"e_1_3_1_40_2","unstructured":"OWASP. 2021. OWASP top 10 A03:2021 Injection."},{"key":"e_1_3_1_41_2","unstructured":"OWASP. 2015. ZAP."},{"key":"e_1_3_1_42_2","unstructured":"Pallets. 2010. Flask."},{"key":"e_1_3_1_43_2","unstructured":"Pallets. 2010. Jinja."},{"key":"e_1_3_1_44_2","doi-asserted-by":"publisher","DOI":"10.1145\/988672.988703"},{"key":"e_1_3_1_45_2","unstructured":"PebbleTemplates. 2012. Pebble templates."},{"key":"e_1_3_1_46_2","unstructured":"Massimo Di Pierro. 2008. web2py."},{"key":"e_1_3_1_47_2","unstructured":"Emilio Pinna. 2016. Tplmap."},{"key":"e_1_3_1_48_2","unstructured":"PortSwigger. 2005. Burp suite."},{"key":"e_1_3_1_49_2","unstructured":"pugjs. 2010. Pug."},{"key":"e_1_3_1_50_2","volume-title":"Jinja2 Documentation","author":"Ronacher Armin","unstructured":"Armin Ronacher. [n.d.]. Jinja2 Documentation."},{"key":"e_1_3_1_51_2","unstructured":"ruby. 2020. ERB. Retrieved from https:\/\/github.com\/ruby\/erb"},{"key":"e_1_3_1_52_2","doi-asserted-by":"publisher","DOI":"10.1109\/HST.2017.7951732"},{"key":"e_1_3_1_53_2","unstructured":"slim-template. 2010. Slim."},{"key":"e_1_3_1_54_2","unstructured":"smarty-php. 2014. Smarty."},{"key":"e_1_3_1_55_2","volume-title":"Genshi Documentation","author":"Software Edgewall","unstructured":"Edgewall Software. [n.d.]. Genshi Documentation."},{"key":"e_1_3_1_56_2","unstructured":"SQLAlchemy. 2018. Mako."},{"key":"e_1_3_1_57_2","volume-title":"Squirrelly","unstructured":"squirrellyjs. [n.d.]. Squirrelly."},{"key":"e_1_3_1_58_2","unstructured":"thymeleaf. 2012. Thymeleaf."},{"key":"e_1_3_1_59_2","unstructured":"tornadoweb. 2009. Tornado."},{"key":"e_1_3_1_60_2","unstructured":"twigphp. 2009. Twig."},{"key":"e_1_3_1_61_2","unstructured":"vuejs. 2015. Vue.js."},{"key":"e_1_3_1_62_2","doi-asserted-by":"publisher","DOI":"10.1145\/3469213.3471315"},{"key":"e_1_3_1_63_2","doi-asserted-by":"crossref","first-page":"249","DOI":"10.18293\/SEKE2021-132","volume-title":"SEKE","author":"Wang Liu","year":"2021","unstructured":"Liu Wang, Ruiqing Li, Jiaxin Zhu, Guangdong Bai, Weihang Su, and Haoyu Wang. 2021. Understanding the impact of COVID-19 on Github developers: A preliminary study. In SEKE. 249\u2013254."},{"key":"e_1_3_1_64_2","unstructured":"web2py. 2008. Web2py."},{"key":"e_1_3_1_65_2","volume-title":"Dust documentation","author":"Williams Aleksander","unstructured":"Aleksander Williams. [n.d.]. Dust documentation."},{"key":"e_1_3_1_66_2","first-page":"3691","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Zhao Yudi","year":"2023","unstructured":"Yudi Zhao, Yuan Zhang, and Min Yang. 2023. Remote code execution from \\(\\lbrace\\) SSTI \\(\\rbrace\\) in the sandbox: Automatically detecting and exploiting template escape bugs. In 32nd USENIX Security Symposium (USENIX Security 23). 3691\u20133708."}],"container-title":["ACM Transactions on the Web"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3799796","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,5,20]],"date-time":"2026-05-20T09:37:37Z","timestamp":1779269857000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3799796"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,20]]},"references-count":65,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2026,5,31]]}},"alternative-id":["10.1145\/3799796"],"URL":"https:\/\/doi.org\/10.1145\/3799796","relation":{},"ISSN":["1559-1131","1559-114X"],"issn-type":[{"value":"1559-1131","type":"print"},{"value":"1559-114X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,5,20]]},"assertion":[{"value":"2024-07-02","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-10-26","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2026-05-20","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}