Exploiting SSTI vulnerabilities to execute server commands
SSTI is a vulnerability that occurs when an application is using a framework to display how it is presented to the user. These templates are inputs, and if those inputs are not correctly validated, they can change the behavior.
These vulnerabilities depend a lot on the technology used by the developers to create the application, so not all of the cases are the same, and as a pentester, you need to identify these differences and its effects on how vulnerability is exploited.
Using Burp Suite to exploit the vulnerability
Imagine you have a vulnerable application to SSTI that is using Twig. Twig (https://twig.symfony.com/) is a template engine developed in PHP.
We can detect the use of an engine because of the source code. Consider the following code snippet:
var greet = 'Hello $name';
<ul>
<% for(var i=0; i<data.length; i++)
{%>
<li><%= data[i] %></li>
<% }
%>
</ul>
<div>
<p...
