We've reviewed the underlying problem with template engines. Now, let's check how it's possible to exploit them. See the following code:

var greet = 'Hello $name'; 
<ul> 
<% for(var i=0; i<data.length; i++) 
{%> 
<li><%= data[i] %></li> 
<% } 
%> 
</ul> 
<div> 
<p> Welcome, {{ username }} </p> 
</div> 

In this code, the template engine is waiting for a name in order to show the Welcome string and the name entered. This line will be displayed to the user as a form, looking like this:

To test if it's vulnerable, we'll send a couple of numbers, waiting to be evaluated:

${{1+1}

When the values are sent, the application shows the following:

Hello 2

At this moment, the vulnerability is confirmed. We need to exploit it in order to determine what's the impact. I'll use the payloads developed by James Kettle, from his presentation Server-side Template Injection: RCE for the modern app. Let's insert the next line:

{{_self.env...