Server side template injection through fuzzing

[sania kanwal]

i want to find server-side template injection in the XVWA application. the application is vulnerable to SSTI. but I have to find it by fuzzing manually this is my requirement.  XVWA is using a twig template engine. i take the payload from GitHub and perform fuzzing ... I also enter the payload in the XVWA application. then I compare the result with zap fuzzing. I have found all payloads that are executed in the application in the zap fuzzing response window also executed.  Payloads that are reflected in zap fuzzing are also not executed in xvwa application .. but when I want to find the HTTP fuzz result it should only show the payload that is executed. but HTTP FUzz result shows me all payloads even that is reflected.  I have a total of 46 payload HTTP FUZZ results showing me a number of matches 46.. why? plz, tell me what the problem I attach a screenshot.

[kingthorin+owaspzap]

That's just how fuzzing works. You have to interpret if the result is relevant or not.

[sania kanwal]

payloads that are not executed why do HTTP fuzz results show them?

[thc...@gmail.com]

The Fuzzer does not have the information necessary to determine that
something is being executed or not, it simply replaces payloads in the
message(s), sends them, and shows them.

It's the user that needs to analyse and decide if something is being
executed or not (or whatever test is being done). You can use a HTTP
Fuzzer Processor script to automate the analysis though (show or ignore
messages based on certain conditions).
https://github.com/zaproxy/community-scripts/tree/main/httpfuzzerprocessor

Best regards.