14. What is template engine? (1)
• Present dynamic data via web pages and emails.
• Separation of presentation (HTML/CSS) from application logic.
• Used in wikis, blogs, marketing applications and CMS.
• Some template engines:
• FreeMarker
• Velocity
• Smarty
• Twig
• Jade
18. Introduction (2)
• custom_email={{7*7}} 49
• custom_email={{self}} Object of class
__TwigTemplate_7ae62e582f8a35e5ea6cc639800ecf15b96c0d6f78d
b3538221c1145580ca4a5 could not be converted to string
23. Exploit
• ‘For Template Authors’ - sections covering basic syntax.
• ‘Security Considerations’ - chances are whoever developed the app
you're testing didn't read this, and it may contain some useful hints.
• Lists of builtin methods, functions, filters, and variables.
• Lists of extensions/plugins - some may be enabled by default.
36. What is CSV Injection ?
• Exploit via the export functionality that allow user to download CSV
(Excel) file.
• Often contain input from untrusted sources such as survey responses,
transaction details, and user-supplied addresses, …
• The attacker can execute any commands on user machine if web
application does not properly validate the contents of the CSV file.
47. Serialization in the context of Java web
applications and application servers
• In HTTP requests – Parameters, ViewState, Cookies
• RMI – The extensively used Java RMI protocol
• RMI over HTTP – Many Java thick client web apps use this
• JMX
• Custom Protocols
48. What’s problems ?
• What if we knew of an object that implemented a “readObject”
method that did something dangerous ?
• What if instead of appending an exclamation point to a user defined
string ?
49. How to identify wherever an application
might be vulnerable ?