> ## Documentation Index
> Fetch the complete documentation index at: https://support.blackbirdsec.eu/llms.txt
> Use this file to discover all available pages before exploring further.

# Server-Side Template Injection (SSTI) Scanner

> INJECT49 is a sophisticated Server-Side Template Injection (SSTI) scanner.

## Overview

INJECT49 is a sophisticated scanner designed to identify Server-Side Template Injection (SSTI) vulnerabilities. SSTI (CWE-1336) is often considered a critical-severity issue as it can lead to remote code execution, potentially allowing attackers to take control of the vulnerable system.

INJECT49's advanced detection techniques help uncover these dangerous flaws in web applications.

## Usage Examples

You can specify a list of target URLs for INJECT49 to check for Server-Side Template Injection vulnerabilities. Optionally, you may [configure any settings](/pentesting-tools/global-configuration) you'd like. Afterward, simply click on **Scan** to launch your scan.

Shortly after your scan has been launched, you will be redirected to the page to view your pending scan.

<img src="https://mintcdn.com/novasecurity/bnD-0b9ht-jotL_z/images/pentesting-tools/inject49/usage.png?fit=max&auto=format&n=bnD-0b9ht-jotL_z&q=85&s=dbf5f114db5826d8fdc07c8db1539de8" width="1920" height="885" data-path="images/pentesting-tools/inject49/usage.png" />

<Warning>
  You must provide a list of target URLs to scan for vulnerabilities, not base URLs or root domains. A few examples:

  Correct:

  <Icon icon="check" /> `https://example.com/path/to/scan?param1=xyz&param2=xyz`

  <Icon icon="check" /> `https://api.example.com/path/to/scan2`

  Incorrect:

  <Icon icon="xmark" /> `https://example.com/`

  <Icon icon="xmark" /> `https://app.example.com/`
</Warning>

## Capabilities

INJECT49 is a sophisticated Server-Side Template Injection (SSTI) scanner equipped with the following capabilities:

<AccordionGroup>
  <Accordion title="Server-Side Template Injection (SSTI) Detection">
    INJECT49 is a sophisticated tool to help you detect Full and Blind Server-Side Template Injection (SSTI) vulnerabilities.
  </Accordion>

  <Accordion title="Support For 10+ Popular Templating Engines">
    INJECT49 can detect SSTI vulnerabilities in 13 Popular Templating Engines: Python Flask, Common Expression Language (CEL), Freemarker, Groovy, Django, Twig, Jinja2, Jade, Razor, Mako, ERB, Slim and Smarty.
  </Accordion>

  <Accordion title="Integrated OAST Server">
    INJECT49 uses [your private OAST Server](/oast-server/oast-server) to validate flagged vulnerabilities to provide a false-positive free experience.
  </Accordion>

  <Accordion title="Advanced Payloads With WAF Bypasses">
    Advanced Payloads with Web Application Firewall (WAF) bypasses for popular firewalls like Cloudflare, Akamai, etc.
  </Accordion>
</AccordionGroup>

## Limitations

There are currently no limitations reported for INJECT49.

## Best Practices

We recommend you to follow the [best practices that we've outlined in detail](/getting-started/best-practices).