🎉 LeoFVO/gossti first version is released. Read more →

GoSSTI is a SSTI scanner for web application. Developed in Go.
GoSSTI allow you to detect template engine of language running behind an existing application.

How to Use

USAGE:
gossti detect -u <URL>

Actually, gossti doesn't provide dynamic parameters analysis. You have to replace the variables with the string "SSTI" as value.

OPTIONS:

-h, --help help for detect command
-u, --url string The target IP or domain to scan
-C, --cookies strings Cookies to use (e.g. -C 'cookie1=value1; cookie2=value2')
-X, --method string The HTTP method to use (default "GET")
--user-agent string Custom user-agent to use (default "gossti 1.0.0")
--timeout duration Timeout for HTTP requests (e.g. 10s)

Advanced Usage with forms

USAGE:
gossti detect -u <URL> -X POST --form 'field1=value1,field2=value2'

OPTIONS:
--form strings Form fields to use (e.g. --form 'field1=value1,field2=value2')
--form-item stringToString Form field to use (e.g. --form 'field1=value1' --form 'field2=value2')
--form-type string Form type to use (e.g. urlencoded, multipart) (default "urlencoded")

Some examples

Using GET method:

gossti -u http://example.com/something?name=SSTI

Using POST method and multipart form:

gossti -u http://example.com/something -X POST --form 'field1=SSTI,field2=value2' --form-type multipart

Using PUT method and custom user-agent:

gossti -u http://example.com/something?name=SSTI -X PUT --user-agent "custom-agent 1.0"

Getting Started

This site is powered by Nextra (opens in a new tab). Nextra is a new kind of static site generator that uses modern JavaScript under Next.JS, components, and build tools to build your site. It's fast, lightweight, and easy to use.

Get started →

Project License

See gossti license →