We've reviewed the underlying problem with template engines. Now, let's check how it's possible to exploit them. See the following code:
var greet = 'Hello $name';
<ul>
<% for(var i=0; i<data.length; i++)
{%>
<li><%= data[i] %></li>
<% }
%>
</ul>
<div>
<p> Welcome, {{ username }} </p>
</div> In this code, the template engine is waiting for a name in order to show the Welcome string and the name entered. This line will be displayed to the user as a form, looking like this:
To test if it's vulnerable, we'll send a couple of numbers, waiting to be evaluated:
${{1+1}When the values are sent, the application shows the following:
Hello 2At this moment, the vulnerability is confirmed. We need to exploit it in order to determine what's the impact. I'll use the payloads developed by James Kettle, from his presentation Server-side Template Injection: RCE for the modern app. Let's insert the next line:
{{_self.env...