Posts

Showing posts from July, 2021

Server Side Template Injection

Web App Pentesting - Server Side Template Injection What is it? Before we understand the attack, first lets understand what template engine is ( eh? colloquially lets understand how web template system would work? and lets not re-write what's already written, here is a link to Wikipedia -  https://en.wikipedia.org/wiki/Web_template_system ). So web template system consists of three main components.  1. Template Engine 2. Content Resource (DB etc) 3. Template Resource Lets select Django Template Engine (TE), it has two tasks to perform 1. Parsing the template engine language  2. And rendering it accordingly on a page Django (again that's the main TE) we are talking about here. Django has two TEs  1. Django Templates 2. Jinja2 ...to be continued.
Post a Comment
Read more

The correct way to install Jython (for Burpsuite)

You need to install Jython the correct way in order to ensure some of the Burp plugins work correctly. Some of these Burp plugins depend on Python libraries for e.g. requests, so installing Jython and then using  $ wget https://repo1.maven.org/maven2/org/python/jython-installer/2.7.2/jython-installer-2.7.2.jar $ java -jar jython-installer-2.7.2.jar -s -d /path/to/install/jython -t standard Further for e.g. if you need requests install it like this: Download requests-2.25.1.tar.gz from the official repo ( https://pypi.org/project/requests/#files ), then go to that directory in terminal, and type the following command, java -jar /Users/brutus/Downloads/jython-standalone-2.7.2.jar setup.py install
Post a Comment
Read more