Forum Discussion

Bronze II

25 days ago

Stuck on “Server-Side Template Injection: Ep.2 – Identifying SSTI Vulnerabilities”

None of the three apps are “breaking” for me. For example the input of {{ dump(_SERVER) }} should return server information in at least one example. But nope.

help & support

netcat

Silver II

22 days ago

I just took the sample payload from the briefing, and it works on the first app, causing an error.
I think there's only one app using twig, where the above string would trigger.
SSTI...not my favorite.

QuickSloth

Bronze II

22 days ago

> I just took the sample payload from the briefing
Sorry, which payload is that?

netcat
Silver II
21 days ago
This one: {{$<%=(*`|.'#-%>;}}
- QuickSloth
  Bronze II
  19 days ago
  All three apps just echo back that same input.
  - netcat
    Silver II
    19 days ago
    Just one more click.

Forum Discussion

Stuck on “Server-Side Template Injection: Ep.2 – Identifying SSTI Vulnerabilities”

Featured Places

Help & Support Forum

Related Content

Server-Side Request Forgery

Confused in "Threat Modeling Fundamentals; SQL Injection and Server-Side Template Injection"

Combatting Software Vulnerabilities with GenAI

CVE-2024-5910: Understanding the Critical Expedition Vulnerability

Understanding CVE-2023-49103: A Critical Vulnerability in ownCloud Graph API

Recent Discussions

Web App Hacking (Lab series): CVE-2022-2143 (iView2)

Confused in "Threat Modeling Fundamentals; SQL Injection and Server-Side Template Injection"

Wizard Spider DFIR: Ep.10 – Demonstrate Your Skills

Autopsy Ep 3: Tags, Comments and Reports

Logging and Monitoring in AWS: Demonstrate Your Skills