Discover and read the best of Twitter Threads about #securitytips
Most recents (2)
1/
Vuln: SSTI
Severity: Severity of the issue depends on from the engine that has been used
Server-side template injection occurs when user input is unsafely embedded into a server-side template, allowing users to inject template directives.
#bugbountytips #securitytips #SSTI
Vuln: SSTI
Severity: Severity of the issue depends on from the engine that has been used
Server-side template injection occurs when user input is unsafely embedded into a server-side template, allowing users to inject template directives.
#bugbountytips #securitytips #SSTI
2/
Constructing a server-side template injection attack
Detect โ Identify โ Exploit
- Detect if SST is vulnerable to attack
โข Identify the engine that the server uses. There are a huge number of templating languages, characters.
โข Develop exploit on received data
Constructing a server-side template injection attack
Detect โ Identify โ Exploit
- Detect if SST is vulnerable to attack
โข Identify the engine that the server uses. There are a huge number of templating languages, characters.
โข Develop exploit on received data
3/
How you can detect SSTI:
Try fuzzing the template by injecting a sequence of special characters, such as `${{<%[%'"}}%`
Vulnerable code: render('Hello ' + username)
Request: "vulnerable-website.com/?username=${7*7}"
If the resulting output - `Hello 49` executes a mathematical operation
How you can detect SSTI:
Try fuzzing the template by injecting a sequence of special characters, such as `${{<%[%'"}}%`
Vulnerable code: render('Hello ' + username)
Request: "vulnerable-website.com/?username=${7*7}"
If the resulting output - `Hello 49` executes a mathematical operation
We found a Remote Code Execution vulnerability in every #PostgreSQL database in #IBMCloud ๐ฑ
Here is how we did it: ๐งต
#HellsKeychain
Here is how we did it: ๐งต
#HellsKeychain
We set up a PostgreSQL instance in IBM Cloud and tried to execute code using the 'COPY FROM PROGRAM' statement. Unfortunately, this failed due to insufficient privileges. We were blocked! ๐ซ
We reviewed all IBM Cloud's proprietary functions that had the 'security definer' flag (meaning they will run as superuser). One of these functions had a SQL Injection vulnerability that we were able to exploit:
