Blind SSTI Detection on Java App: Identifying Template Engine

A security tester is examining a Java web application with a URL parameter that reflects user input, suspected to be vulnerable to Server-Side Template Injection (SSTI). They have tested multiple template injection payloads including ${77}, {{77}}, and Java Runtime execution commands, but received no output, errors, delays, or callbacks. The tester observed a custom "X-Template" header in the response and is asking how to identify which template engine (Freemarker, Velocity, or Thymeleaf) is being used without any output, and whether time-based blind detection methods exist that work across multiple engines.