> For the complete documentation index, see [llms.txt](https://notes.nomanaziz.me/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://notes.nomanaziz.me/cybersecurity/penetration-testing/tryhackme/main-methodology/3.-gaining-access-exploitation/web-applications/zth-obscure-web-vulns.md).

# ZTH: Obscure Web Vulns

### Server Side Template Injection (SSTI)

A template engine allows developers to use static HTML pages with dynamic elements. Take for instance a static profile.html page, a template engine would allow a developer to set a username parameter, that would always be set to the current user's username

Server Side Template Injection, is when a user is able to pass in a parameter that can control the template engine that is running on the server.

For example take the code<br>

This introduces a vulnerability, as it allows a hacker to inject template code into the website. The effects of this can be devastating, from XSS, all the way to RCE.

**Note: Different template engines have different injection payloads, however usually you can test for SSTI using {{2+2}} as a test.**

#### Manual Exploitation

Gives us this page. It takes a prompt for a name, and then returns `Hello <name>!.`, suppose it is vulnerable to SSTI ( {{2+2}} gives `Hello 4!` )

We can use the wonderful repository [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#basic-injection), to find some payloads.

For example, `{{ ''.__class__.__mro__[2].__subclasses__()[40]()(<file>).read()}}` to read files on the server.

We can use the code `{{config.__class__.__init__.__globals__['os'].popen(<command>).read()}}` to execute commands on the server. All that payload does is import the os module, and run a command using the popen method.

#### Automatic Exploitation

There is a tool known as `Tplmap` that does that for us! The tool can be found [here](https://github.com/epinna/tplmap).

**Note: use python2 to install the requirements. python2 -m pip**

The basic syntax for tplmap is different depending on whether you're using get or post

```
GET	tplmap -u <url>/?<vulnparam>
POST	tplmap -u <url> -d '<vulnparam>'
```

***

### Cross Site Request Forgery (CSRF)

CSRF occurs when a user visits a page on a site, that performs an action on a different site. For instance, let's say a user clicks a link to a website created by a hacker, on the website would be an html tag such as `<img src="https://vulnerable-website.com/email/change?email=pwned@evil-user.net">` which would change the account email on the vulnerable website to "<pwned@evil-user.net>". CSRF works because it's the victim making the request not the site, so all the site sees is a normal user making a normal request.

This opens the door, to the user's account being fully compromised through the use of a password reset for example. The severity of this cannot be overstated, as it allows an attacker to potentially gain personal information about a user, such as credit card details in an extreme case.

#### Manual Exploitation

Let's take an example application

<figure><img src="/files/npkYn8SJNyTlLPRRSrSm" alt=""><figcaption></figcaption></figure>

It seems simple enough, As user bob, I can send funds to either Bob or Alice with any of the available balance in my account. Let's take a closer look at the request in burp.

<figure><img src="/files/RiuIFqdzTRWCuNQ4xAHk" alt=""><figcaption></figcaption></figure>

This is looking good, parameters we can customize and a session cookie that is automatically set. Everything seems vulnerable to CSRF. Let's try and make a vulnerable site. Putting `<img src="http://localhost:3000/transfer?to=alice&amount=100">` into an html file and using SimpleHTTPServer to host it should change's Alice's balance by 100, Let's see if it does!

<figure><img src="/files/XemKCCtekzBWz7LU5Jgk" alt=""><figcaption></figcaption></figure>

#### Automatic Exploitation

There is a nice automated scanner, which tests if a site is vulnerable to CSRF. this tool is known as **xsrfprobe** and can be install via pip using `pip3 install xsrfprobe`. This will only work using python 3.

The syntax for the command is `xsrfprobe -u <url>/<endpoint>`

***


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://notes.nomanaziz.me/cybersecurity/penetration-testing/tryhackme/main-methodology/3.-gaining-access-exploitation/web-applications/zth-obscure-web-vulns.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.