2025-12-13 –, Rookie Track 1
Join us on a demonstration of a TWIG language Server-Side Template Injection (SSTI) vulnerability identified and successfully exploited in a real, client engagement. Through the vulnerability we obtained command execution with command output landing in our email inbox, leading to a reverse shell and subsequently pivoted into the client Google Cloud Platform (GCP) cloud environment by leveraging application credentials once foothold has been established.
Beyond the interesting war story, we will explore ways to go about looking for different SSTI vulnerabilities, how to discover attack surfaces for different templating engines and how to safely exploit these, showcase pivoting opportunities into cloud environments such as GCP to showcase customer impact and handle client communications.
Server-Side Template Injection findings are relatively rare in web app engagements, the talk mainly aims to demonstrate exploitation, how to find different abuse paths for templating engines, as well as where limitations may stop us from fully exploiting the vulnerability.
As testers in most web application penetration tests are contractually obliged by the scoping document to not engage in any testing beyond the scope such as docker breakout or privilege escalation attempts, there is usually little opportunity to showcase impact beyond gaining a shell on the server. With rising adoption cloud computing in general, more clients are deploying their web applications in cloud environments. This often allows us to probe cloud metadata endpoints to gather credentials to access the cloud environment, therefore, showcasing impact without performing potentially disruptive or beyond the scope actions.
Finally, we will briefly discuss how to appropriately communicate such findings to the relevant parties on the client's side.
In general, the talk will focus on the technical exploitation of SSTI vulnerabilities, looking for opportunities to pivot into the cloud environment, as well as how to appropriately handle client communications with such critical findings.
Hi my name's Filip, I'm from Poland. I have been a penetration tester in the UK for the past 3.5 years working for various companies. As of recently, I've become a part of the adversary simulation team at JUMPSEC. Outside of pentesting, I enjoy playing football!