My scan results include Server Side Template Injection (Blind) (ZAP plugin 90036) -- how should I investigate this finding?

Server Side Template Injection (Blind) is a timing-based ZAP plugin (90036) that HawkScan uses to test for Remote Code Execution scenarios (CWE-74).

In the SSTI blind command injection test, the scanner injects an innocuous sleep command into a request, then compares the response timing from the target application between requests it makes both with and without the attack parameter. The attack parameter will appear in the request body as:

If the scanner can induce delayed responses relative to requests without the sleep component, the alert will be triggered and included in the scan results. It is not triggered based on any particular type of HTTP code in the response (e.g., 200 or 302).

If the scanner returns this alert, it can be reproduced by copying the curl command output from the Validate button in the alert's Details page and issuing these variations in that request to the application in question:

If responses to requests containing the sleep command are consistently longer than without, that's an indication of the issue and a reason to investigate further.

See the Solution section of Server Side Template Injection (Blind) (90036) on the ZAP page and follow the guidance there.

You can use the linux 'time' command to generate timings associated with your curl commands.

For example, this curl took .01s from start to finish: