Forum Discussion

Bronze III

6 months ago

Solved

Stuck on “Server-Side Template Injection: Ep.2 – Identifying SSTI Vulnerabilities”

None of the three apps are “breaking” for me. For example the input of {{ dump(_SERVER) }} should return server information in at least one example. But nope.

help & support

netcat
6 months ago
I just took the sample payload from the briefing, and it works on the first app, causing an error.
I think there's only one app using twig, where the above string would trigger.
SSTI...not my favorite.

QuickSloth

Bronze III

6 months ago

> I think there's only one app using twig
I know. And I know which one is running twig. But I try all three for completeness.
I tried this on three different days. And I'm still not able to get anything to return the system information.
(Oops, meant this as a reply to netcat )

Forum Discussion

Stuck on “Server-Side Template Injection: Ep.2 – Identifying SSTI Vulnerabilities”

Featured Places

Help & Support Forum

Related Content

Server-Side Request Forgery

Server-Side Request Forgery Web App Hacking

Confused in "Threat Modeling Fundamentals; SQL Injection and Server-Side Template Injection"

Server-Side Request Forgery Q6 & Q7

Combatting Software Vulnerabilities with GenAI

Recent Discussions

Trick or Treat on Specter Street: Phantom Pages

FIN7 Threat Hunting with Splunk: Ep.2 – Initial Access

Trick or Treat on Specter Street: Widow's Web

Trick or Treat on Specter Street: Manor of Madness

Trick or Treat: Manor of Madness