TInjA is a CLI tool for testing web pages for template injection vulnerabilities.
It supports 44 of the most relevant template engines (as of September 2023) for eight different programming languages.
TInjA was developed by Hackmanit and Maximilian Hildebrand.
Prebuilt binaries of TInjA are provided on the releases page.
Requirements: go1.21 or higher
go install -v github.com/Hackmanit/TInjA@latest
tinja url -u "http://example.com/"tinja url -u "http://example.com/" -u "http://example.com/path2"tinja url -u "file:/path/to/file"tinja raw -R "/path/to/file"tinja jsonl -j "/path/to/file"{
"request":{
"method":"POST",
"endpoint":"http://example.com/path",
"body":"name=Kirlia",
"headers":{
"Content-Type":"application/x-www-form-urlencoded"
}
}
--header/-H specifies headers which shall be added to the request.tinja url -u "http://example.com/" -H "Authentication: Bearer ey..."--cookie/-c specifies cookies which shall be added to the request.tinja url -u "http://example.com/" -c "PHPSESSID=ABC123..."--data/-d specifies the POST body which shall be added to the request.tinja url -u "http://example.com/" -d "username=Kirlia&password=notguessable"--csti enables the scanning for CSTI.tinja url -u "http://example.com/" --cstiBy default TInjA only scans for SSTI. A headless browser is utilized for scanning for CSTI, which may increase RAM and CPU usage.
--reportpath enables generating a report in JSONL format. The report will be updated after each scanned URL and will be stored at the provided path.tinja url -u "http://example.com/" --reportpath "/home/user/Documents"--proxyurl specifies the URL and port of a proxy to be used for scanning.tinja url -u "http://example.com/" --proxyurl "http://127.0.0.1:8080"--proxycertpath specifies the CA certificate of the proxy in PEM format (needed when scanning HTTPS URLs).tinja url -u "http://example.com/" --proxyurl "http://127.0.0.1:8080" --proxycertpath "/home/user/Documents/cacert.pem"To scan HTTPS URLs using a proxy a CA certificate of the proxy in PEM format is needed. Burp Suite CA certificates are provided in DER format, for example. To convert them, the following command can be used:
openssl x509 -inform DER -outform PEM -text -in cacert.der -out cacert.pem
--ratelimit/-r specifies the number of maximum requests per second allowed. By default, this number is unrestricted.tinja url -u "http://example.com/" --ratelimit 10[ERR] Couldn't connect to URL: remote error: tls: user canceled--proxycertpath (see Use a Proxy).[ERR] Error reading response from target server via proxy: malformed HTTP response "HTTP/1.1"Default to HTTP/2 if the server supports it in Burp Suite's settings (Network > HTTP).TINJA marker to mark where the polyglots shall be placed.A blog post providing more information about template injection and TInjA – the Template INJection Analyzer can be found here:
Template Injection Vulnerabilities – Understand, Detect, Identify
TInjA was developed as a part of a master's thesis by Maximilian Hildebrand. You can find results of the master's thesis publicly available here: - Template Injection Table - Template Injection Playground - TInjA – the Template INJection Analyzer - Master's Thesis (PDF)
TInjA – the Template INJection Analyzer was developed by Hackmanit and Maximilian Hildebrand as a part of his master's thesis. TInjA – the Template INJection Analyzer is licensed under the Apache License, Version 2.0.
$ claude mcp add TInjA \
-- python -m otcore.mcp_server <graph>