Server-Side Template Injection: RCE For The Modern Web App ΡΠΊΠ°ΡΠ°ΡΡ Π² Ρ ΠΎΡΠΎΡΠ΅ΠΌ ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅
Server-Side Template Injection: RCE For The Modern Web App
9 years ago
ΠΠ΅ ΡΠ΄Π°Π΅ΡΡΡ Π·Π°Π³ΡΡΠ·ΠΈΡΡ Youtube-ΠΏΠ»Π΅Π΅Ρ. ΠΡΠΎΠ²Π΅ΡΡΡΠ΅ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΡ Youtube Π² Π²Π°ΡΠ΅ΠΉ ΡΠ΅ΡΠΈ.
ΠΠΎΠ²ΡΠΎΡΡΠ΅ΠΌ ΠΏΠΎΠΏΡΡΠΊΡ...
ΠΠΎΠ²ΡΠΎΡΡΠ΅ΠΌ ΠΏΠΎΠΏΡΡΠΊΡ...
Π‘ΠΊΠ°ΡΠ°ΡΡ Π²ΠΈΠ΄Π΅ΠΎ Ρ ΡΡΡΠ± ΠΏΠΎ ΡΡΡΠ»ΠΊΠ΅ ΠΈΠ»ΠΈ ΡΠΌΠΎΡΡΠ΅ΡΡ Π±Π΅Π· Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΎΠΊ Π½Π° ΡΠ°ΠΉΡΠ΅: Server-Side Template Injection: RCE For The Modern Web App Π² ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅ 4k
Π£ Π½Π°Ρ Π²Ρ ΠΌΠΎΠΆΠ΅ΡΠ΅ ΠΏΠΎΡΠΌΠΎΡΡΠ΅ΡΡ Π±Π΅ΡΠΏΠ»Π°ΡΠ½ΠΎ Server-Side Template Injection: RCE For The Modern Web App ΠΈΠ»ΠΈ ΡΠΊΠ°ΡΠ°ΡΡ Π² ΠΌΠ°ΠΊΡΠΈΠΌΠ°Π»ΡΠ½ΠΎΠΌ Π΄ΠΎΡΡΡΠΏΠ½ΠΎΠΌ ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅, Π²ΠΈΠ΄Π΅ΠΎ ΠΊΠΎΡΠΎΡΠΎΠ΅ Π±ΡΠ»ΠΎ Π·Π°Π³ΡΡΠΆΠ΅Π½ΠΎ Π½Π° ΡΡΡΠ±. ΠΠ»Ρ Π·Π°Π³ΡΡΠ·ΠΊΠΈ Π²ΡΠ±Π΅ΡΠΈΡΠ΅ Π²Π°ΡΠΈΠ°Π½Ρ ΠΈΠ· ΡΠΎΡΠΌΡ Π½ΠΈΠΆΠ΅:
-
ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΏΠΎ Π·Π°Π³ΡΡΠ·ΠΊΠ΅:
Π‘ΠΊΠ°ΡΠ°ΡΡ mp3 Ρ ΡΡΡΠ±Π° ΠΎΡΠ΄Π΅Π»ΡΠ½ΡΠΌ ΡΠ°ΠΉΠ»ΠΎΠΌ. ΠΠ΅ΡΠΏΠ»Π°ΡΠ½ΡΠΉ ΡΠΈΠ½Π³ΡΠΎΠ½ Server-Side Template Injection: RCE For The Modern Web App Π² ΡΠΎΡΠΌΠ°ΡΠ΅ MP3:
ΠΡΠ»ΠΈ ΠΊΠ½ΠΎΠΏΠΊΠΈ ΡΠΊΠ°ΡΠΈΠ²Π°Π½ΠΈΡ Π½Π΅
Π·Π°Π³ΡΡΠ·ΠΈΠ»ΠΈΡΡ
ΠΠΠΠΠΠ’Π ΠΠΠΠ‘Π¬ ΠΈΠ»ΠΈ ΠΎΠ±Π½ΠΎΠ²ΠΈΡΠ΅ ΡΡΡΠ°Π½ΠΈΡΡ
ΠΡΠ»ΠΈ Π²ΠΎΠ·Π½ΠΈΠΊΠ°ΡΡ ΠΏΡΠΎΠ±Π»Π΅ΠΌΡ ΡΠΎ ΡΠΊΠ°ΡΠΈΠ²Π°Π½ΠΈΠ΅ΠΌ Π²ΠΈΠ΄Π΅ΠΎ, ΠΏΠΎΠΆΠ°Π»ΡΠΉΡΡΠ° Π½Π°ΠΏΠΈΡΠΈΡΠ΅ Π² ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΡ ΠΏΠΎ Π°Π΄ΡΠ΅ΡΡ Π²Π½ΠΈΠ·Ρ
ΡΡΡΠ°Π½ΠΈΡΡ.
Π‘ΠΏΠ°ΡΠΈΠ±ΠΎ Π·Π° ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ ΡΠ΅ΡΠ²ΠΈΡΠ° ClipSaver.ru
Server-Side Template Injection: RCE For The Modern Web App
by James Kettle Simple inputs can conceal an {expansive} attack surface. Feature-rich web applications often embed user input in web templates in an attempt to offer flexible functionality and developer shortcuts, creating a vulnerability easily mistaken for XSS. In this presentation, I'll discuss techniques to recognize template injection, then show how to take template engines on a journey deeply orthogonal to their intended purpose and ultimately gain arbitrary code execution. I'll show this technique being applied to craft exploits that hijack four popular template engines, then demonstrate RCE zero-days on two corporate web applications. This presentation will also cover techniques for automated detection of template injection, and exploiting subtle, application-specific vulnerabilities that can arise in otherwise secure template systems.
Comments
