Example 1

Example

Consider the following web page.

This page shows a basic welcome message along with the name of the user concatenated according to the input in the URL as http://10.201.75.107:5000/profile/<user>. Let's try to find an injection point in the <user> parameter in the URL.

We can brute-force this webpage to check for any special functions but if we have to go manual then we can check with the following set of special characters. ${{<%[%'"}}%

These characters are often used by template engines (for eg. Jinja)

Here we can try to trigger an error on the webpage using these special characters.

As you can see, using the characters {{ triggered an Internal Server Error.

The reason we are trying to trigger an error using special characters is to detect the template engine being used.

We can use the following decision tree to do so.

We can start from the left-most payload.

As you can see the payload worked and we now know that Jinja2 is the implemented template engine.

Syntax

Next step is to get aware of the engine's syntax. The best way to do so is to check out the official documentation.

Always look for the following, no matter the language or template engine:

• How to start a print statement

• How to end a print statement

• How to start a block statement

• How to end a block statement