Skip to content

Commit 8f5991b

Browse files
kingthorinkingthorin
committed
v41 and stable tweaks
- Add v4.1 PDF to download tab. - Add raw code tags to SSTI pages so that they render properly. ```text Liquid Warning: Liquid syntax error (line 48): Unexpected character * in "{{7*7}}" in v40/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection.md Liquid Warning: Liquid syntax error (line 68): Unexpected character * in "{{7*7}}" in v40/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection.md ``` Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>
1 parent d099a28 commit 8f5991b

File tree

3 files changed

+10
-0
lines changed

3 files changed

+10
-0
lines changed

stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,10 +51,12 @@ def page():
5151

5252
This code snippet is vulnerable to XSS but it is also vulnerable to SSTI. Using the following as a payload in the `name` parameter:
5353

54+
{% raw %}
5455
```bash
5556
$ curl -g 'http://www.target.com/page?name={{7*7}}'
5657
Hello 49!
5758
```
59+
{% endraw %}
5860

5961
## How to Test
6062

@@ -70,11 +72,13 @@ The first step in testing SSTI in plaintext context is to construct common templ
7072

7173
Common template expression examples:
7274

75+
{% raw %}
7376
```html
7477
a{{bar}}b
7578
a{{7*7}}
7679
{var} ${var} {{var}} <%var%> [% var %]
7780
```
81+
{% endraw %}
7882

7983
In this step an extensive [template expression test strings/payloads list](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection) is recommended.
8084

tab_downloads.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,8 @@ View the always-current stable version at [stable](stable/).
1717

1818
[Version 4.1](v41/) serves as a post-migration stable version under the new GitHub repository workflow.
1919

20+
[Download the v4.1 PDF](https://github.com/OWASP/wstg/releases/download/v4.1/wstg-v4.1.pdf) here.
21+
2022
## [Version 4.0] - 2014-09-17
2123

2224
[Download the v4 PDF](assets/archive/OWASP_Testing_Guide_v4.pdf) here.

v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,10 +51,12 @@ def page():
5151

5252
This code snippet is vulnerable to XSS but it is also vulnerable to SSTI. Using the following as a payload in the `name` parameter:
5353

54+
{% raw %}
5455
```bash
5556
$ curl -g 'http://www.target.com/page?name={{7*7}}'
5657
Hello 49!
5758
```
59+
{% endraw %}
5860

5961
## How to Test
6062

@@ -70,11 +72,13 @@ The first step in testing SSTI in plaintext context is to construct common templ
7072

7173
Common template expression examples:
7274

75+
{% raw %}
7376
```html
7477
a{{bar}}b
7578
a{{7*7}}
7679
{var} ${var} {{var}} <%var%> [% var %]
7780
```
81+
{% endraw %}
7882

7983
In this step an extensive [template expression test strings/payloads list](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection) is recommended.
8084

0 commit comments

Comments
 (0)