Category Web Attacks

SSTI, Security, Web Attacks

SSTI – Server-side template injection with a custom exploit

This one was definitely a step up in complexity. This is the 7th (and final as of Feb 2025) Server-Side Template Injection lab available on the PortSwigger Web Security Academy. I really enjoyed the series and intend on doing additional…

scomurr
03/11/2025

SSTI, Security, Web Attacks

SSTI – Server-side template injection in a sandboxed environment

Continuing the series on Server-Side Template Injection (SSTI) based on the PortSwigger Web Security Academy labs. This is the 6th in the series and we’re stepping up to an expert level lab. We’ve moved past rudimentary injection attacks and moved…

scomurr
03/04/2025

SSTI, Security, Web Attacks

SSTI – Server-side template injection with information disclosure via user-supplied objects

This is the write up for the PortSwigger Web Security Academy 5th lab in the series for Server-Side Template Injection (SSTI). This one is definitely a step up in complexity. This goes beyond identifying the location for the injection and…

scomurr
02/25/2025

SSTI, Security, Web Attacks

SSTI – Server-side template injection in an unknown language with a documented exploit

monkey riding a bike - ssti lab 4 - featured image

This is the fourth lab from the PortSwigger Web Security Academy on SSTI or Server Side Template Injection. This lab solves in almost exactly the same way as the previous labs – it’s a matter of finding where the vulnerability…

scomurr
02/20/2025

SSTI, Security, Web Attacks

SSTI – Server-side template injection using documentation

This is the third blog post covering server-side template injection and the associated PortSwigger Web Security Academy labs. This one, to me, is a lot like the last one. Like – exactly. That’s ok, though, as practice makes permanent. And…

scomurr
02/17/2025