Level up your SSTI skills!

So back in 2015 James Kettle wrote an interesting research paper on Server-Side Template Injection (SSTI). In it, he presented a technique for identifying and exploiting dynamic templates to obtain server side remote code execution (RCE).

Who doesn’t like a good RCE, am I right? :smiling_imp:

He even presented a great talk at BlackHat on the subject, which you can check out here.

Anyways, I recently stumbled up the fact that Portswigger has updated that research and improved their SSTI section in Web Security Academy to include 7 new labs.

I went through it yesterday to level up my skills; it was a lot of fun. Then again, I’m kinda weird in what I think is fun. :clown_face:

Anyways, if you wanna level up YOUR SSTI skills, start here. Once you have read the theory, then head over to the labs and exploit FTW.

Finally, I’m curious… do you find SSTI interesting?

  • Hell yes!
  • WTF? No way.
  • I dunno yet… it’s all new to me.

0 voters

They are fun. :smiley:

1 Like