From Jinja to Ninja: Abusing Jinja Template Engine For Code Execution And How To Get SecureИнформационная безопасность
Oyediji is a cybersecurity enthusiast, bug bounty hunter and Python developer. Oyediji currently works as a security consultatant at PhynxLabs Consulting where his daily functions involved penetration testing and vulnerability assessment. He has found and reported bug in various platforms ranging from Point-of-sale systems and internet banking platform, as well flight and ticket booking platforms. He enjoys reading and watching animes when he isn't working at his computer.
Server-side template injection occurs when user input is unsafely embedded into a server-side template, allowing users to inject template directives. Using malicious template directives, an attacker may be able to execute arbitrary code and take full control of the web server. This talk is focused on how to identify and exploit a badly configured Jinja template code to perform arbitrary code execution. The talk also focus on some safeguards to safely configure your Jinja template to avoid Server Side Template Injection.