Link Search Menu Expand Document

Server-Side Template Injection in .NET

Vulnerable example

Razor is a parsing engine designed to embed server code into ASP.NET web pages. The following ASP.NET controller concatenates a user-provided string into a Razor template, introducing the Server-Side Template Injection vulnerability.

public ActionResult Index(string name)
    var razorTpl = $"Hello {name}!";
    ViewBag.RenderedTemplate = Razor.Parse(razorTpl);
    ViewBag.Template = razorTpl;
    return View();

The user-supplied name variable is concatenated to the template text, allowing an attacker to inject template code. The screenshot shows the attacker injecting 7*7 to demonstrate that the result 49 is actually computed.

$ curl -g 'http://localhost:5000/page?name=@(7*7)'
Hello 49!

Razor does not restrict the execution of code, which can be easily achieved by using the @{} syntax. For example, the following running system command adds into the temporary folder.

$ curl -g 'http://localhost:5000/page?name=@{ System.Diagnostics.Process.Start("touch /tmp/"); }'


Template engine API mechanisms automatically enforce the separation between code and data, providing the API are called correctly, as shown in the snippets within the RazorEngine section.


RazorEngine is a templating engine built on the Razor parsing engine. It allows the use of the Razor syntax to build dynamic templates. This example passes the name variable, using a dynamic model to be consumed within the template context in a safe manner.

using RazorEngine;
using RazorEngine.Templating;

// ...

public ActionResult Index(string name)
    var razorTpl = "Hello!";
    var result = Engine.Razor.RunCompile(razorTpl, "templateKey", null, new { name = name });
    return result;


CWE - CWE-94: Improper Control of Generation of Code (‘Code Injection’) CWE - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) PortSwigger - Server Side Template Injection