diff --git a/content/docs/client-side/xss.md b/content/docs/client-side/xss.md index 3d8e0eb..3e932f4 100644 --- a/content/docs/client-side/xss.md +++ b/content/docs/client-side/xss.md @@ -20,6 +20,7 @@ toc: true ## Basic payloads - [Cross-site scripting (XSS) cheat sheet - PortSwigger](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet): List of XSS payloads. +- [Tiny XSS Payloads](https://tinyxss.terjanq.me/) ```html diff --git a/content/docs/framework/sping_boot.md b/content/docs/framework/sping-boot.md similarity index 100% rename from content/docs/framework/sping_boot.md rename to content/docs/framework/sping-boot.md diff --git a/content/docs/framework/ssti/_index.md b/content/docs/framework/ssti/_index.md new file mode 100644 index 0000000..b81ed7b --- /dev/null +++ b/content/docs/framework/ssti/_index.md @@ -0,0 +1,9 @@ +--- +title : "SSTI" +description: "Offensive Web - SSTI" +lead: "Offensive Web - SSTI" +date: 2023-01-01T00:00:00+00:00 +lastmod: 2023-01-01T00:00:00+00:00 +draft: false +images: [] +--- diff --git a/content/docs/framework/ssti/django-template.md b/content/docs/framework/ssti/django-template.md new file mode 100644 index 0000000..0ac57a0 --- /dev/null +++ b/content/docs/framework/ssti/django-template.md @@ -0,0 +1,108 @@ +--- +title: "Tera" +description: "Cheatsheet on Tera" +lead: "Cheatsheet on Tera" +date: 2023-01-01T00:00:00+00:00 +lastmod: 2023-01-01T00:00:00+00:00 +draft: false +images: [] +menu: + docs: + parent: "ssti" +weight: 620 +toc: true +--- + +## Django Template Engine (DTL) + +Django ships built-in backends for its own template system, creatively called the [Django template language (DTL)](https://docs.djangoproject.com/en/5.0/topics/templates/), and for the popular alternative `Jinja2`. + +## Usage + +Basic example of DTL: + +```html +My first name is {{ first_name }}. My last name is {{ last_name }}. +{{ my_dict.key }} +{{ my_object.attribute }} +{{ my_list.0 }} +``` + +Usage of DTL in a Django application: + +```python +from django.template import engines + +django_engine = engines["django"] +template = django_engine.from_string("Hello {{ name }}!") +``` + +Example of vulnerable code: + +```python +from django.http import HttpResponse +from django.template import engines + +def index(request): + message = request.GET.get("message") + + engine = engines["django"] + template = engine.from_string("" + message + "") + return HttpResponse(template.render({}, request)) +``` + +## Detection + +DTL vs Jinja2: + +| Payload | Jinja2 | Django Templates | +| ------------------ | ------------ | ------------------------ | +| `{% csrf_token %}` | Causes error | Anti-CSRF token HTML tag | +| `{{ 7*7 }}` | 49 | Causes error | + +## Built-in + +### Debug + +```js +{% debug %} +``` + +### CSRF + +```js +{% csrf_token %} +``` + +### Secret Key Leak + +When `messages` is present in the template context and `CookieStorage` is being used we can walk through attributes of `messages` to access app's `SECRET_KEY`: + +```js +{{ messages.storages.0.signer.key }} +``` + +### Filters + +List of all filters: [Built-in filter reference](https://docs.djangoproject.com/en/5.0/ref/templates/builtins/#built-in-filter-reference) + +### XSS + +- `safe`: Marks a string as not requiring further HTML escaping prior to output. When autoescaping is off, this filter has no effect. +- `escape`: Escapes a string's HTML (HTML entity). +- `force_escape`: Applies HTML escaping to a string. + +```html +{% autoescape off %} + {{ message }} +{% endautoescape %} + +{{ message|safe }} + +{{ some_list|safeseq|join:", " }} +``` + +## References + +- [Django template language (DTL)](https://docs.djangoproject.com/en/5.0/topics/templates/) +- [[PDF] Django templates - Server-Side Template Injection](https://www.lifars.com/wp-content/uploads/2021/06/Django-Templates-Server-Side-Template-Injection-v1.0.pdf) \ No newline at end of file diff --git a/content/docs/framework/tera.md b/content/docs/framework/ssti/tera.md similarity index 98% rename from content/docs/framework/tera.md rename to content/docs/framework/ssti/tera.md index 7d3cfc0..ac6fdd5 100644 --- a/content/docs/framework/tera.md +++ b/content/docs/framework/ssti/tera.md @@ -8,7 +8,7 @@ draft: false images: [] menu: docs: - parent: "framework" + parent: "ssti" weight: 620 toc: true --- diff --git a/content/docs/getting-started/cheatsheets.md b/content/docs/getting-started/cheatsheets.md index 67ad59f..e8b1ced 100644 --- a/content/docs/getting-started/cheatsheets.md +++ b/content/docs/getting-started/cheatsheets.md @@ -17,6 +17,7 @@ toc: true - [mXSS cheatsheet](https://sonarsource.github.io/mxss-cheatsheet/) - [Cross-site scripting (XSS) cheat sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) +- [Tiny XSS Payloads](https://tinyxss.terjanq.me/) ## SQL Injection diff --git a/content/docs/programming/python/class_pollution.md b/content/docs/programming/python/class-pollution.md similarity index 100% rename from content/docs/programming/python/class_pollution.md rename to content/docs/programming/python/class-pollution.md diff --git a/content/docs/programming/python/format_string.md b/content/docs/programming/python/format-string.md similarity index 100% rename from content/docs/programming/python/format_string.md rename to content/docs/programming/python/format-string.md diff --git a/content/docs/writeup/dghack2023_jarjarbank.md b/content/docs/writeup/dghack2023-jarjarbank.md similarity index 100% rename from content/docs/writeup/dghack2023_jarjarbank.md rename to content/docs/writeup/dghack2023-jarjarbank.md diff --git a/content/docs/writeup/sekaictf2023_golfjail.md b/content/docs/writeup/sekaictf2023-golfjail.md similarity index 100% rename from content/docs/writeup/sekaictf2023_golfjail.md rename to content/docs/writeup/sekaictf2023-golfjail.md