Introduction

In this video walk-through, we covered the detection, exploitation and remediation of Server Side Template Injection Vulnerability.

What is Server Side Template Injection?
Server Side Template Injection (SSTI) is a web exploit which takes advantage of an insecure implementation of a template engine.

What is a template engine?
A template engine allows you to create static template files which can be re-used in your application.

What is the impact of SSTI?
As the name suggests, SSTI is a server side exploit, rather than client side such as cross site scripting (XSS).

This means that vulnerabilities are even more critical, because instead of an account on the website being hijacked (common use of XSS), the server instead gets hijacked.

The possibilities are endless, however the main goal is typically to gain remote code execution.

Get OSCP Certificate Notes

Answers

What sequence of characters causes the application to throw an error?
What template engine is being used in this application?
How do you start a comment in Jinja2?
What is the result of the “whoami” shell command?
What payload was used to confirm SSTI?
Video Walk-through