GoSSTI is a SSTI scanner for web application. Developed in Go.
GoSSTI is a SSTI scanner for web application. Developed in Go. GoSSTI allow you to detect template engine of language running behind an existing application.
USAGE:
gossti detect -u <URL>
Actually, gossti doesn't provide dynamic parameters analysis. You have to replace the variables with the string "SSTI" as value.
OPTIONS:
-h, --help help for detect command -u, --url string The target IP or domain to scan -C, --cookies strings Cookies to use (e.g. -C 'cookie1=value1; cookie2=value2') -X, --method string The HTTP method to use (default "GET") --user-agent string Custom user-agent to use (default "gossti 1.0.0") --timeout duration Timeout for HTTP requests (e.g. 10s)
NOTE: For the first usage, you need to download the gossti database with the following command:
gossti plugins updateUSAGE:
gossti detect -u <URL> -X POST --form 'field1=value1,field2=value2'
OPTIONS: --form strings Form fields to use (e.g. --form 'field1=value1,field2=value2') --form-item stringToString Form field to use (e.g. --form 'field1=value1' --form 'field2=value2') --form-type string Form type to use (e.g. urlencoded, multipart) (default "urlencoded")
Using GET method:
gossti -u http://example.com/something?name=SSTI
Using POST method and multipart form:
gossti -u http://example.com/something -X POST --form 'field1=SSTI,field2=value2' --form-type multipart
Using PUT method and custom user-agent:
gossti -u http://example.com/something?name=SSTI -X PUT --user-agent "custom-agent 1.0"
Each plugins concern a single language, all plugins can be found in the plugins folder named like this: <language>.yml.
The document format is the following:
version: 1.0.0
name: Python
engines:
- name: Mako
payloads:
- id: python_mako_ecA9Ba9885
payload: ${21389+219839}
response:
expected: 241228
invalidate: ${241228}
error: falseversion: The version of the pluginname: The name of the languageengines: The template engines of the languagename: The name of the template enginepayloads: The payloads to useid: The ID of the payloadpayload: The payload to useresponse: The response to expectexpected: The expected responseinvalidate: The payload to use to invalidate the cacheerror: If the response is an error
To add a new payload, you can add a new payload in the payloads section of the plugin.
Define the payload ID like this: <language>_<template_engine>_<random_string>
You can generate a random string with the following command:
python3 -c "import random; import string; print(''.join(random.choice(string.hexdigits) for i in range(10)))"We are now shipping binaries for each of the releases so that you don't even have to build them yourself! How wonderful is that!
If you're stupid enough to trust binaries that I've put together, you can download them from the releases page.
If you have a Go environment ready to go (at least go 1.19), it's as easy as:
go install github.com/LeoFVO/gossti@latestPS: You need at least go 1.19 to compile gossti.
docker pull ghcr.io/leofvo/gossti:latest
docker run gossti:latestSince this tool is written in Go you need to install the Go language/compiler/etc. Full details of installation and set up can be found on the Go language website. Once installed you have two options. You need at least go 1.19 to compile gossti.
git clone git@github.com:LeoFVO/gossti.gitgossti has external dependencies, and so they need to be pulled in first:
go get && go buildThis will create a gossti binary for you. If you want to install it in the $GOPATH/bin folder you can run:
go installThe documentation is available at https://leofvo.github.io/gossti/.
In order to deploy documentation for your project, you need to allow github actions to deploy github pages. To do so, go to your repository settings > Pages, and in the Build and deployment section, select Github Actions as the source.
See the LICENSE file.