So back in 2015 James Kettle wrote an interesting research paper on Server-Side Template Injection (SSTI). In it, he presented a technique for identifying and exploiting dynamic templates to obtain server side remote code execution (RCE).
Who doesn’t like a good RCE, am I right?
He even presented a great talk at BlackHat on the subject, which you can check out here.
Anyways, I recently stumbled up the fact that Portswigger has updated that research and improved their SSTI section in Web Security Academy to include 7 new labs.
I went through it yesterday to level up my skills; it was a lot of fun. Then again, I’m kinda weird in what I think is fun.
Finally, I’m curious… do you find SSTI interesting?
- Hell yes!
- WTF? No way.
- I dunno yet… it’s all new to me.