add SSTI

content/docs/others/browser-exploit.md

@@ -30,6 +30,14 @@ chrome.exe --remote-debugging-port=9222
 
 ## Vulnerabilities
 
+### Firefox
+
+#### CVE-2024-4367 – Arbitrary JavaScript execution in PDF.js
+
+- [CVE-2024-4367 – Arbitrary JavaScript execution in PDF.js](https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/)
+- [CVE-2024-4367 PoC - Github](https://github.com/LOURC0D3/CVE-2024-4367-PoC/)
+- Version: Firefox 126, Firefox ESR 115.11 and Thunderbird 115.11 released including the fixed version of PDF.js
+
 ### Chromium
 
 #### Arbitrary file reading

content/docs/server-side/ssti/ejs.md

@@ -0,0 +1,32 @@
+---
+title: "EJS"
+description: "Cheatsheet on EJS"
+lead: "Cheatsheet on EJS"
+date: 2023-01-01T00:00:00+00:00
+lastmod: 2023-01-01T00:00:00+00:00
+draft: false
+images: []
+menu:
+ docs:
+ parent: "ssti"
+weight: 620
+toc: true
+---
+
+## EJS - Embedded JavaScript templating
+
+[EJS](https://ejs.co/) is a simple templating language that lets you generate HTML markup with plain JavaScript.
+
+## XSS
+
+**Unsafe:**
+
+```html
+<h1><%- user.name %></h1>
+```
+
+**Safe:**
+
+```html
+<h1><%= user.name %></h1>
+```

content/docs/server-side/ssti/pug.md

@@ -0,0 +1,66 @@
+---
+title: "Pug"
+description: "Cheatsheet on Pug"
+lead: "Cheatsheet on Pug"
+date: 2023-01-01T00:00:00+00:00
+lastmod: 2023-01-01T00:00:00+00:00
+draft: false
+images: []
+menu:
+ docs:
+ parent: "ssti"
+weight: 620
+toc: true
+---
+
+## Pug
+
+[Pug](https://pugjs.org/) is a simple templating language that lets you generate HTML markup with plain JavaScript.
+
+## XSS
+
+### Unescaped Attributes
+
+- [Unescaped Attributes - pugjs.org](https://pugjs.org/language/attributes.html#unescaped-attributes)
+- [&attributes - pugjs.org](https://pugjs.org/language/attributes.html#attributes)
+
+By default, all attributes are escaped. If you need to use special characters, use `!=` instead of `=`.
+
+```html
+div(escaped="<code>")
+=> <div escaped="&lt;code&gt;"></div>
+div(unescaped!="<code>")
+=> <div unescaped="<code>"></div>
+
+p = 'This code <strong>is</strong> escaped!'
+=> <p>This code &lt;strong&gt;is&lt;/strong&gt; !</p>
+p != 'This code is' + ' <strong>not</strong> escaped!'
+=> This code is <strong>not</strong> escaped!
+
+div#foo(data-bar="foo")&attributes({'data-foo': 'bar'})
+=> <div id="foo" data-bar="foo" data-foo="bar"></div>
+```
+
+> Attributes applied using `&attributes` are not automatically escaped.
+
+### Unescaped Strings
+
+- [String Interpolation, Unescaped - pugjs.org](https://pugjs.org/language/interpolation.html#string-interpolation-unescaped)
+
+**Safe:**
+
+```bash
+p You're logged in as #{user.name}
+```
+
+**Unsafe:**
+
+```bash
+p You're logged in as !{user.name}
+```
+
+### Unescaped Protocol
+
+```js
+a(href="javascript:alert(document.domain)")
+```

hugo_stats.json

@@ -333,6 +333,7 @@
  "csrf",
  "cve-2021-41773---path-traversal--potential-rce",
  "cve-2023-25690---request-smuggling",
+ "cve-2024-4367--arbitrary-javascript-execution-in-pdfjs",
  "dangerous-functions",
  "data-import",
  "database-enumeration",
@@ -350,6 +351,8 @@
  "dos",
  "drupal",
  "ejs",
+ "ejs---embedded-javascript-templating",
+ "email",
  "empty-pattern",
  "error-based",
  "example",
@@ -442,6 +445,7 @@
  "postgresql-2",
  "properties",
  "prototype-pollution",
+ "pug",
  "python",
  "query",
  "query-string-parsing",
@@ -458,6 +462,7 @@
  "resources",
  "response-headers-manipulation",
  "restart-frame",
+ "ruby",
  "samesite",
  "script-loading-content-type-page",
  "search-form",
@@ -470,6 +475,7 @@
  "secure",
  "security",
  "self-xss",
+ "send",
  "set-cookie-from-javascript",
  "socialMenu",
  "softwares",
@@ -496,6 +502,9 @@
  "trust-proxy",
  "two-levels-deep",
  "type-juggling",
+ "unescaped-attributes",
+ "unescaped-protocol",
+ "unescaped-strings",
  "uppercase",
  "uri-scheme",
  "urls",