Server-Side Template Injection - Discovery to Exploitation (Remote Session)

Topic: Server-Side Template Injection - Discovery to Exploitation
Duration: 30-40min

Abstract:
Many web technologies are using template engines for content delivery to web components or even in email context. This is majorly done by embedding dynamic contents into specified template sections. Doing this in unsafe manner can cause insecurities in the application that can even leads to remote code execution. This talk will be explaining the concepts behind template engines, how it works and walk through insecure coding practices with source code examples. We will also discuss how to discover template injection vulnerabilities from pentest point of view and what could go wrong if this can be exploited with a working demo.

Bio:
Sanoop Thomas (@s4n7h0) is a seasoned security professional with diverse background in consulting, teaching, research and product-based industries with a passion to solve complex security problems. Today, Sanoop works as information security specialist focusing on application security and secure coding. His field of interest includes reverse engineering, malware analysis, application security and automating security pentest/analysis methodologies. He is moderating null open community chapter in Singapore and organised over 60 events & workshops to spread security awareness across country. Sanoop is also the author of Halcyon IDE (https://t.co/6mCymDAizg) an IDE that is focused to develop Nmap scripts. He has spoken at security conferences like Nullcon, OWASP India, HITBGSEC, Rootcon, Defcon and Blackhat Arsenal.