SlideShare a Scribd company logo
BY : Narendra Kumar
@0ddhawk
SERVER SIDETEMPALATE
INJECTION
Null Bhopal
17 DEC 2017
Agenda
• Introduction
• Template /template engines
• Detect
• Identify
• Exploit
What is template?
What is template?
• Layout /predefine structure
• Might need to provide specific information before
its usable.
• Produces HTML
• Reduce typing
• Faster
Example
• Welcome to Null meet
• Null meets are open for everyone
Produce
HTML
• <h1>Welcome to Null meet</h1>
• Null meets are open for everyone
Classic
HTML
• H1 Welcome to Null meet
• P Null meets are open for everyonetemplate
What is template engine ?
Template
Data
Template
Engine
Resulting Document
Example :
• Welcome to OWASP
• OWASP meets are open for everyoneProduce
• {name : ‘OWASP’
• Category : ‘meets are open for everyone’}Data
• <h1>Welcome to<%=name%><h1>
• <p><%=name%><%=category%></p>Template
Type of template engines
• Freemarker
• Velocity
• Smarty
• Twig/Twig sandbox
• Jade
• EJS etc.
What is template injection?
What is template injection
Example 1: Marketing application for bulk emails
$output = $twig->render("Dear {first_name},", array("first_name" =>
$user.first_name) );
Example 2:
$output = $twig->render($_GET['custom_email'], array("first_name" => $user.first_name) );
Note: Customize input arise problems
A template injection may occur when an untrusted input is concatenated to a template file
Template engine behavior
• Plaintext context
• Code context
Plain context
• Template engine syntax:
• Ex 1: smarty
• Hello {user.name}
Hello user1
• Ex 2: Freemarker
• Hello ${username}
Hello user2
Detection of SSTI
• Ex 1: smarty
Hello ${7*7}
Hello 49
• Ex2: freemarker
Hello ${7*7}
Hello 49
• Other payloads syntax:
{ var} ${var} {{var}} <%var%> [%var%]
Code Context
• Ex 1:
personal_greeting=username
Hello user01
Breaking out template
• personal_greeting=username<tag>
Expected error/empty string
personal_greeting=username}}<tag>
Hello user01 <tag>
First step done
How to identify template engine
•language-specific payloads decision tree
Note: this technique fails when error messages are suppressed
Example: the probe {{7*'7'}} would result in 49 in Twig, 7777777 in Jinja2
Time to get ready
Exploit
• Read
|-cover basic syntax
|-Security considerations-chances are whoever developed the app you're
| testing didn't read this, and it may contain some useful hints
|- built-in methods, functions, filters, and variables
|-extensions/plugins - some may be enabled by default
• Explore
• Default objects provided by template/application : self
• If no builtin self object : burteforce variable name(developer supplied
objects are particularly contain sensitive information)
• Attack
• firm idea of the attack surface available to you
Demo
References
• http://blog.portswigger.net/2015/08/server-side-
template-injection.html
• https://github.com/twigphp/Twig/blob/e22fb8728
b395b306a06785a3ae9b12f3fbc0294/lib/Twig/Envi
ronment.php#L874
• https://twig.symfony.com/
• http://mrbool.com/understanding-twig-php-
template-engine/32460

More Related Content

Similar to Server side tempalate injection

Server side tempalate injection
Server side tempalate injectionServer side tempalate injection
Server side tempalate injection
Narendra Kumar
 
Design Like a Pro: Scripting Best Practices
Design Like a Pro: Scripting Best PracticesDesign Like a Pro: Scripting Best Practices
Design Like a Pro: Scripting Best Practices
Inductive Automation
 
Design Like a Pro: Scripting Best Practices
Design Like a Pro: Scripting Best PracticesDesign Like a Pro: Scripting Best Practices
Design Like a Pro: Scripting Best Practices
Inductive Automation
 
Getting started-php unit
Getting started-php unitGetting started-php unit
Getting started-php unit
mfrost503
 
Adobe AEM CQ5 - Developer Introduction
Adobe AEM CQ5 - Developer IntroductionAdobe AEM CQ5 - Developer Introduction
Adobe AEM CQ5 - Developer Introduction
Yash Mody
 
JavaOne 2016 - CON3080 - Testing Java Web Applications with Selenium: A Cookbook
JavaOne 2016 - CON3080 - Testing Java Web Applications with Selenium: A CookbookJavaOne 2016 - CON3080 - Testing Java Web Applications with Selenium: A Cookbook
JavaOne 2016 - CON3080 - Testing Java Web Applications with Selenium: A Cookbook
Jorge Hidalgo
 
Hangman for the Masses Showcase of Web Tech
Hangman for the Masses Showcase of Web TechHangman for the Masses Showcase of Web Tech
Hangman for the Masses Showcase of Web Tech
Olmo F. Maldonado
 
Codeigniter
CodeigniterCodeigniter
Codeigniter
Joram Salinas
 
Enterprise PHP
Enterprise PHPEnterprise PHP
Enterprise PHP
Mohammad Emran Hasan
 
[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T
OWASP EEE
 
Unit Test for ZF SlideShare Component
Unit Test for ZF SlideShare ComponentUnit Test for ZF SlideShare Component
Unit Test for ZF SlideShare Component
Diego Delon
 
Open source security
Open source securityOpen source security
Open source security
lrigknat
 
Find maximum bugs in limited time
Find maximum bugs in limited timeFind maximum bugs in limited time
Find maximum bugs in limited time
beched
 
Interview Question & Answers for Selenium Freshers | LearningSlot
Interview Question & Answers for Selenium Freshers | LearningSlotInterview Question & Answers for Selenium Freshers | LearningSlot
Interview Question & Answers for Selenium Freshers | LearningSlot
Learning Slot
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
EC-Council
 
Selenium testing - Handle Elements in WebDriver
Selenium testing - Handle Elements in WebDriver Selenium testing - Handle Elements in WebDriver
Selenium testing - Handle Elements in WebDriver
Vibrant Technologies & Computers
 
How to use selenium successfully
How to use selenium successfullyHow to use selenium successfully
How to use selenium successfully
TEST Huddle
 
PHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersPHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginners
Mohammed Mushtaq Ahmed
 
Php reports sumit
Php reports sumitPhp reports sumit
Php reports sumit
Sumit Biswas
 
How to Use Selenium, Successfully
How to Use Selenium, SuccessfullyHow to Use Selenium, Successfully
How to Use Selenium, Successfully
Sauce Labs
 

Similar to Server side tempalate injection (20)

Server side tempalate injection
Server side tempalate injectionServer side tempalate injection
Server side tempalate injection
 
Design Like a Pro: Scripting Best Practices
Design Like a Pro: Scripting Best PracticesDesign Like a Pro: Scripting Best Practices
Design Like a Pro: Scripting Best Practices
 
Design Like a Pro: Scripting Best Practices
Design Like a Pro: Scripting Best PracticesDesign Like a Pro: Scripting Best Practices
Design Like a Pro: Scripting Best Practices
 
Getting started-php unit
Getting started-php unitGetting started-php unit
Getting started-php unit
 
Adobe AEM CQ5 - Developer Introduction
Adobe AEM CQ5 - Developer IntroductionAdobe AEM CQ5 - Developer Introduction
Adobe AEM CQ5 - Developer Introduction
 
JavaOne 2016 - CON3080 - Testing Java Web Applications with Selenium: A Cookbook
JavaOne 2016 - CON3080 - Testing Java Web Applications with Selenium: A CookbookJavaOne 2016 - CON3080 - Testing Java Web Applications with Selenium: A Cookbook
JavaOne 2016 - CON3080 - Testing Java Web Applications with Selenium: A Cookbook
 
Hangman for the Masses Showcase of Web Tech
Hangman for the Masses Showcase of Web TechHangman for the Masses Showcase of Web Tech
Hangman for the Masses Showcase of Web Tech
 
Codeigniter
CodeigniterCodeigniter
Codeigniter
 
Enterprise PHP
Enterprise PHPEnterprise PHP
Enterprise PHP
 
[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T
 
Unit Test for ZF SlideShare Component
Unit Test for ZF SlideShare ComponentUnit Test for ZF SlideShare Component
Unit Test for ZF SlideShare Component
 
Open source security
Open source securityOpen source security
Open source security
 
Find maximum bugs in limited time
Find maximum bugs in limited timeFind maximum bugs in limited time
Find maximum bugs in limited time
 
Interview Question & Answers for Selenium Freshers | LearningSlot
Interview Question & Answers for Selenium Freshers | LearningSlotInterview Question & Answers for Selenium Freshers | LearningSlot
Interview Question & Answers for Selenium Freshers | LearningSlot
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
 
Selenium testing - Handle Elements in WebDriver
Selenium testing - Handle Elements in WebDriver Selenium testing - Handle Elements in WebDriver
Selenium testing - Handle Elements in WebDriver
 
How to use selenium successfully
How to use selenium successfullyHow to use selenium successfully
How to use selenium successfully
 
PHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersPHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginners
 
Php reports sumit
Php reports sumitPhp reports sumit
Php reports sumit
 
How to Use Selenium, Successfully
How to Use Selenium, SuccessfullyHow to Use Selenium, Successfully
How to Use Selenium, Successfully
 

Recently uploaded

Open Source and AI - ByWater Closing Keynote Presentation.pdf
Open Source and AI - ByWater Closing Keynote Presentation.pdfOpen Source and AI - ByWater Closing Keynote Presentation.pdf
Open Source and AI - ByWater Closing Keynote Presentation.pdf
Jessica Zairo
 
Codeavour 5.0 International Impact Report - The Biggest International AI, Cod...
Codeavour 5.0 International Impact Report - The Biggest International AI, Cod...Codeavour 5.0 International Impact Report - The Biggest International AI, Cod...
Codeavour 5.0 International Impact Report - The Biggest International AI, Cod...
Codeavour International
 
Power of Ignored Skills: Change the Way You Think and Decide by Manoj Tripathi
Power of Ignored Skills: Change the Way You Think and Decide by Manoj TripathiPower of Ignored Skills: Change the Way You Think and Decide by Manoj Tripathi
Power of Ignored Skills: Change the Way You Think and Decide by Manoj Tripathi
Pankaj523992
 
C# Interview Questions PDF By ScholarHat.pdf
C# Interview Questions PDF By ScholarHat.pdfC# Interview Questions PDF By ScholarHat.pdf
C# Interview Questions PDF By ScholarHat.pdf
Scholarhat
 
Our Guide to the July 2024 USPS® Rate Change
Our Guide to the July 2024 USPS® Rate ChangeOur Guide to the July 2024 USPS® Rate Change
Our Guide to the July 2024 USPS® Rate Change
Postal Advocate Inc.
 
SD_Integrating 21st Century Skills in Classroom-based Assessment.pptx
SD_Integrating 21st Century Skills in Classroom-based Assessment.pptxSD_Integrating 21st Century Skills in Classroom-based Assessment.pptx
SD_Integrating 21st Century Skills in Classroom-based Assessment.pptx
elwoodprias1
 
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ..."DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
thanhluan21
 
Introduction to Banking System in India.ppt
Introduction to Banking System in India.pptIntroduction to Banking System in India.ppt
Introduction to Banking System in India.ppt
Dr. S. Bulomine Regi
 
formative Evaluation By Dr.Kshirsagar R.V
formative Evaluation By Dr.Kshirsagar R.Vformative Evaluation By Dr.Kshirsagar R.V
formative Evaluation By Dr.Kshirsagar R.V
DrRavindrakshirsagar1
 
Kesadaran_Berbangsa_dan_Bernegara_Nasion.pptx
Kesadaran_Berbangsa_dan_Bernegara_Nasion.pptxKesadaran_Berbangsa_dan_Bernegara_Nasion.pptx
Kesadaran_Berbangsa_dan_Bernegara_Nasion.pptx
artenzmartenkai
 
10th Social Studies Enrichment Material (Abhyasa Deepika) EM.pdf
10th Social Studies Enrichment Material (Abhyasa Deepika) EM.pdf10th Social Studies Enrichment Material (Abhyasa Deepika) EM.pdf
10th Social Studies Enrichment Material (Abhyasa Deepika) EM.pdf
SSRCreations
 
How to Manage Access Rights & User Types in Odoo 17
How to Manage Access Rights & User Types in Odoo 17How to Manage Access Rights & User Types in Odoo 17
How to Manage Access Rights & User Types in Odoo 17
Celine George
 
Node JS Interview Question PDF By ScholarHat
Node JS Interview Question PDF By ScholarHatNode JS Interview Question PDF By ScholarHat
Node JS Interview Question PDF By ScholarHat
Scholarhat
 
NAEYC Code of Ethical Conduct Resource Book
NAEYC Code of Ethical Conduct Resource BookNAEYC Code of Ethical Conduct Resource Book
NAEYC Code of Ethical Conduct Resource Book
lakitawilson
 
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
Alvaro Barbosa
 
Genetics Teaching Plan: Dr.Kshirsagar R.V.
Genetics Teaching Plan: Dr.Kshirsagar R.V.Genetics Teaching Plan: Dr.Kshirsagar R.V.
Genetics Teaching Plan: Dr.Kshirsagar R.V.
DrRavindrakshirsagar1
 
JavaScript Interview Questions PDF By ScholarHat
JavaScript Interview  Questions PDF By ScholarHatJavaScript Interview  Questions PDF By ScholarHat
JavaScript Interview Questions PDF By ScholarHat
Scholarhat
 
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
Cátedra Banco Santander
 
The Cruelty of Animal Testing in the Industry.pdf
The Cruelty of Animal Testing in the Industry.pdfThe Cruelty of Animal Testing in the Industry.pdf
The Cruelty of Animal Testing in the Industry.pdf
luzmilaglez334
 
How To Update One2many Field From OnChange of Field in Odoo 17
How To Update One2many Field From OnChange of Field in Odoo 17How To Update One2many Field From OnChange of Field in Odoo 17
How To Update One2many Field From OnChange of Field in Odoo 17
Celine George
 

Recently uploaded (20)

Open Source and AI - ByWater Closing Keynote Presentation.pdf
Open Source and AI - ByWater Closing Keynote Presentation.pdfOpen Source and AI - ByWater Closing Keynote Presentation.pdf
Open Source and AI - ByWater Closing Keynote Presentation.pdf
 
Codeavour 5.0 International Impact Report - The Biggest International AI, Cod...
Codeavour 5.0 International Impact Report - The Biggest International AI, Cod...Codeavour 5.0 International Impact Report - The Biggest International AI, Cod...
Codeavour 5.0 International Impact Report - The Biggest International AI, Cod...
 
Power of Ignored Skills: Change the Way You Think and Decide by Manoj Tripathi
Power of Ignored Skills: Change the Way You Think and Decide by Manoj TripathiPower of Ignored Skills: Change the Way You Think and Decide by Manoj Tripathi
Power of Ignored Skills: Change the Way You Think and Decide by Manoj Tripathi
 
C# Interview Questions PDF By ScholarHat.pdf
C# Interview Questions PDF By ScholarHat.pdfC# Interview Questions PDF By ScholarHat.pdf
C# Interview Questions PDF By ScholarHat.pdf
 
Our Guide to the July 2024 USPS® Rate Change
Our Guide to the July 2024 USPS® Rate ChangeOur Guide to the July 2024 USPS® Rate Change
Our Guide to the July 2024 USPS® Rate Change
 
SD_Integrating 21st Century Skills in Classroom-based Assessment.pptx
SD_Integrating 21st Century Skills in Classroom-based Assessment.pptxSD_Integrating 21st Century Skills in Classroom-based Assessment.pptx
SD_Integrating 21st Century Skills in Classroom-based Assessment.pptx
 
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ..."DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
 
Introduction to Banking System in India.ppt
Introduction to Banking System in India.pptIntroduction to Banking System in India.ppt
Introduction to Banking System in India.ppt
 
formative Evaluation By Dr.Kshirsagar R.V
formative Evaluation By Dr.Kshirsagar R.Vformative Evaluation By Dr.Kshirsagar R.V
formative Evaluation By Dr.Kshirsagar R.V
 
Kesadaran_Berbangsa_dan_Bernegara_Nasion.pptx
Kesadaran_Berbangsa_dan_Bernegara_Nasion.pptxKesadaran_Berbangsa_dan_Bernegara_Nasion.pptx
Kesadaran_Berbangsa_dan_Bernegara_Nasion.pptx
 
10th Social Studies Enrichment Material (Abhyasa Deepika) EM.pdf
10th Social Studies Enrichment Material (Abhyasa Deepika) EM.pdf10th Social Studies Enrichment Material (Abhyasa Deepika) EM.pdf
10th Social Studies Enrichment Material (Abhyasa Deepika) EM.pdf
 
How to Manage Access Rights & User Types in Odoo 17
How to Manage Access Rights & User Types in Odoo 17How to Manage Access Rights & User Types in Odoo 17
How to Manage Access Rights & User Types in Odoo 17
 
Node JS Interview Question PDF By ScholarHat
Node JS Interview Question PDF By ScholarHatNode JS Interview Question PDF By ScholarHat
Node JS Interview Question PDF By ScholarHat
 
NAEYC Code of Ethical Conduct Resource Book
NAEYC Code of Ethical Conduct Resource BookNAEYC Code of Ethical Conduct Resource Book
NAEYC Code of Ethical Conduct Resource Book
 
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
 
Genetics Teaching Plan: Dr.Kshirsagar R.V.
Genetics Teaching Plan: Dr.Kshirsagar R.V.Genetics Teaching Plan: Dr.Kshirsagar R.V.
Genetics Teaching Plan: Dr.Kshirsagar R.V.
 
JavaScript Interview Questions PDF By ScholarHat
JavaScript Interview  Questions PDF By ScholarHatJavaScript Interview  Questions PDF By ScholarHat
JavaScript Interview Questions PDF By ScholarHat
 
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
 
The Cruelty of Animal Testing in the Industry.pdf
The Cruelty of Animal Testing in the Industry.pdfThe Cruelty of Animal Testing in the Industry.pdf
The Cruelty of Animal Testing in the Industry.pdf
 
How To Update One2many Field From OnChange of Field in Odoo 17
How To Update One2many Field From OnChange of Field in Odoo 17How To Update One2many Field From OnChange of Field in Odoo 17
How To Update One2many Field From OnChange of Field in Odoo 17
 

Server side tempalate injection

  • 1. BY : Narendra Kumar @0ddhawk SERVER SIDETEMPALATE INJECTION Null Bhopal 17 DEC 2017
  • 2. Agenda • Introduction • Template /template engines • Detect • Identify • Exploit
  • 4. What is template? • Layout /predefine structure • Might need to provide specific information before its usable. • Produces HTML • Reduce typing • Faster
  • 5. Example • Welcome to Null meet • Null meets are open for everyone Produce HTML • <h1>Welcome to Null meet</h1> • Null meets are open for everyone Classic HTML • H1 Welcome to Null meet • P Null meets are open for everyonetemplate
  • 6. What is template engine ? Template Data Template Engine Resulting Document
  • 7. Example : • Welcome to OWASP • OWASP meets are open for everyoneProduce • {name : ‘OWASP’ • Category : ‘meets are open for everyone’}Data • <h1>Welcome to<%=name%><h1> • <p><%=name%><%=category%></p>Template
  • 8. Type of template engines • Freemarker • Velocity • Smarty • Twig/Twig sandbox • Jade • EJS etc.
  • 9. What is template injection?
  • 10. What is template injection Example 1: Marketing application for bulk emails $output = $twig->render("Dear {first_name},", array("first_name" => $user.first_name) ); Example 2: $output = $twig->render($_GET['custom_email'], array("first_name" => $user.first_name) ); Note: Customize input arise problems A template injection may occur when an untrusted input is concatenated to a template file
  • 11. Template engine behavior • Plaintext context • Code context
  • 12. Plain context • Template engine syntax: • Ex 1: smarty • Hello {user.name} Hello user1 • Ex 2: Freemarker • Hello ${username} Hello user2
  • 13. Detection of SSTI • Ex 1: smarty Hello ${7*7} Hello 49 • Ex2: freemarker Hello ${7*7} Hello 49 • Other payloads syntax: { var} ${var} {{var}} <%var%> [%var%]
  • 14. Code Context • Ex 1: personal_greeting=username Hello user01 Breaking out template • personal_greeting=username<tag> Expected error/empty string personal_greeting=username}}<tag> Hello user01 <tag>
  • 16. How to identify template engine •language-specific payloads decision tree Note: this technique fails when error messages are suppressed Example: the probe {{7*'7'}} would result in 49 in Twig, 7777777 in Jinja2
  • 17. Time to get ready
  • 18. Exploit • Read |-cover basic syntax |-Security considerations-chances are whoever developed the app you're | testing didn't read this, and it may contain some useful hints |- built-in methods, functions, filters, and variables |-extensions/plugins - some may be enabled by default • Explore • Default objects provided by template/application : self • If no builtin self object : burteforce variable name(developer supplied objects are particularly contain sensitive information) • Attack • firm idea of the attack surface available to you
  • 19. Demo

Editor's Notes

  1. 3:TI occurs when user input is embedded in template why example1 safe?
  2. How to detect template engine is in use? Plaintext context what is it?