IDENTIFICATION

TEMPATE ENGINE RESPONSES

SUCCESS METHOD (MANUAL)

#identify the template engine the target web application uses
#utilize slight variations in the behavior of different template engines to achieve this
#see commonly used overview (above) containing slight differences in popular template engines
root@oco:~$ BROWSER > {targetSite:port}
 input field: ${7*7}
 output: success
     
 * based on the response, proceed and follow either the red (fail) /green (sucess) arrow until you arrive at the resulting template engine
 
 input field: {{7*7}}
 input field: {{7*'7'}}
 * Jinja Result: 7777777
   Twig Result: 49

#test webapp response to invalid characters
root@oco:~$ BROWSER > {targetSite:port}
 input field: ${{<%[%'"}}%\.
 * this test string is commonly used to provoke an error message in a web application vulnerable to SSTI
    - while this doesn't confirm that the web application is vulnerable to SSTI, it should increase our suspicion that the parameter might be vulnerable.

FAILURE METHOD (BURP)

root@oco:~$ BROWSER > {targetSite:port}
 input field: ${7*7}
 output: success
 
 input field: {{7*7}}
 output:
  Error: Parse error on line 1:
  {{7*7}}
  --^
  Expecting 'ID', 'STRING', 'NUMBER', 'BOOLEAN', 'UNDEFINED', 'NULL', 'DATA', got 'INVALID'
    at Parser.parseError (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/parser.js:268:19)
    at Parser.parse (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/parser.js:337:30)
    at HandlebarsEnvironment.parse (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/base.js:46:43)
    at compileInput (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/compiler.js:515:19)
    at ret (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/compiler.js:524:18)
 
  * an error occurring isn't always a bad this. with this error, it means that the 
    payload was detected as valid by the template engine, however the code had
    some error and was unable to be executed.
     - for a Penetration Tester, error can provide valuable information
        - this particular error provided the following information
           -  the server is running from the /root/Backend directory and also that the 
              Handlebars Template Engine is being used

PreviousSSTI NextJINJA (EXPLOITATION)

Last updated 2 months ago

SUCCESS METHOD (MANUAL)

#identify the template engine the target web application uses
#utilize slight variations in the behavior of different template engines to achieve this
#see commonly used overview (above) containing slight differences in popular template engines
root@oco:~$ BROWSER > {targetSite:port}
 input field: ${7*7}
 output: success
     
 * based on the response, proceed and follow either the red (fail) /green (sucess) arrow until you arrive at the resulting template engine
 
 input field: {{7*7}}
 input field: {{7*'7'}}
 * Jinja Result: 7777777
   Twig Result: 49

#test webapp response to invalid characters
root@oco:~$ BROWSER > {targetSite:port}
 input field: ${{<%[%'"}}%\.
 * this test string is commonly used to provoke an error message in a web application vulnerable to SSTI
    - while this doesn't confirm that the web application is vulnerable to SSTI, it should increase our suspicion that the parameter might be vulnerable.

FAILURE METHOD (BURP)

root@oco:~$ BROWSER > {targetSite:port}
 input field: ${7*7}
 output: success
 
 input field: {{7*7}}
 output:
  Error: Parse error on line 1:
  {{7*7}}
  --^
  Expecting 'ID', 'STRING', 'NUMBER', 'BOOLEAN', 'UNDEFINED', 'NULL', 'DATA', got 'INVALID'
    at Parser.parseError (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/parser.js:268:19)
    at Parser.parse (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/parser.js:337:30)
    at HandlebarsEnvironment.parse (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/base.js:46:43)
    at compileInput (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/compiler.js:515:19)
    at ret (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/compiler.js:524:18)
 
  * an error occurring isn't always a bad this. with this error, it means that the 
    payload was detected as valid by the template engine, however the code had
    some error and was unable to be executed.
     - for a Penetration Tester, error can provide valuable information
        - this particular error provided the following information
           -  the server is running from the /root/Backend directory and also that the 
              Handlebars Template Engine is being used