GoSSTI is a SSTI scanner for web application. Developed in Go.
GoSSTI allow you to detect template engine of language running behind an existing application.
How to Use
USAGE:
gossti detect -u <URL>
Actually, gossti doesn't provide dynamic parameters analysis. You have to replace the variables with the string "SSTI" as value.
OPTIONS:
-h, --help help for detect command
-u, --url string The target IP or domain to scan
-C, --cookies strings Cookies to use (e.g. -C 'cookie1=value1; cookie2=value2')
-X, --method string The HTTP method to use (default "GET")
--user-agent string Custom user-agent to use (default "gossti 1.0.0")
--timeout duration Timeout for HTTP requests (e.g. 10s)
Advanced Usage with forms
USAGE:
gossti detect -u <URL> -X POST --form 'field1=value1,field2=value2'
OPTIONS:
--form strings Form fields to use (e.g. --form 'field1=value1,field2=value2')
--form-item stringToString Form field to use (e.g. --form 'field1=value1' --form 'field2=value2')
--form-type string Form type to use (e.g. urlencoded, multipart) (default "urlencoded")
Some examples
Using GET method:
gossti -u http://example.com/something?name=SSTI
Using POST method and multipart form:
gossti -u http://example.com/something -X POST --form 'field1=SSTI,field2=value2' --form-type multipart
Using PUT method and custom user-agent:
gossti -u http://example.com/something?name=SSTI -X PUT --user-agent "custom-agent 1.0"
Getting Started
This site is powered by Nextra (opens in a new tab). Nextra is a new kind of static site generator that uses modern JavaScript under Next.JS, components, and build tools to build your site. It's fast, lightweight, and easy to use.
Project License
See gossti license →