Hackfest 2020

Template Injection in Action
2020-11-20, 12:00–14:00, Hackfest - Track 1

Template engines are libraries mainly used to design views for web applications. Their use helps simplify common design tasks for developers. However, their use may introduce new risks when they are used in an improper way. Template injection is a vulnerability class that has emerged in 2016. The exploitation of this type of issue requires specific knowledge associated with the template library or programming language being used. Only knowing vulnerability basics is often insufficient to be effective. For these reasons, we are proposing a practical workshop with a special focus on template injection vulnerabilities. The training covers various template engines in the context of different programming languages (PHP, Python and Java) and explores how to successfully exploit them.

This workshop is a unique opportunity to have live access to vulnerable applications. The participants will receive a complete introduction to the template injection and step-by-step instructions on how to attack each exercise.

The workshop is divided in five parts. The first, part is an introduction to the vulnerability class. This segment is needed to get a good understanding of the attack patterns and to recognize potential vulnerabilities.

Next, we investigate four different template engines with unique twists. Each template engine is accompanied by an exercise which consists of a web application with a template engine being exposed.

  • Introduction
  • Template Injection
  • Identifying Template Engine
  • Template Engines
  • Twig (PHP)
  • Jinja2 (Python)
  • Tornado (Python)
  • Velocity (Java)
  • Sandbox escape

Are you releasing a tool? – no