Hackfest 2020

Template Injection in Action
11-20, 12:00–14:00 (Canada/Eastern), Hackfest - Track 1
Language: English

Template engines are libraries mainly used to design views for web applications. Their use helps simplify common design tasks for developers. However, their use may introduce new risks when they are used in an improper way. Template injection is a vulnerability class that has emerged in 2016. The exploitation of this type of issue requires specific knowledge associated with the template library or programming language being used. Only knowing vulnerability basics is often insufficient to be effective. For these reasons, we are proposing a practical workshop with a special focus on template injection vulnerabilities. The training covers various template engines in the context of different programming languages (PHP, Python and Java) and explores how to successfully exploit them.

This workshop is a unique opportunity to have live access to vulnerable applications. The participants will receive a complete introduction to the template injection and step-by-step instructions on how to attack each exercise.


The workshop is divided in five parts. The first, part is an introduction to the vulnerability class. This segment is needed to get a good understanding of the attack patterns and to recognize potential vulnerabilities.

Next, we investigate four different template engines with unique twists. Each template engine is accompanied by an exercise which consists of a web application with a template engine being exposed.

  • Introduction
  • Template Injection
  • Identifying Template Engine
  • Template Engines
  • Twig (PHP)
  • Jinja2 (Python)
  • Tornado (Python)
  • Velocity (Java)
  • Sandbox escape

Are you releasing a tool? – no

Philippe is a security researcher working for GoSecure. His research is focused on Web application security. His past work experience includes pentesting, secure code review and software development. He is the author of the widely used Java static analysis tool OWASP Find Security Bugs (FSB). He built many plugins for Burp and ZAP proxy tools: Retire.js, Reissue Request Scripter, CSP Auditor and many others. Philippe has presented at several conferences including Black Hat Arsenal, SecTor, AppSec USA, ATLSecCon, NorthSec, and 44CON.