Summary
- A web vulnerability called template injection can lead to data theft, remote code execution, and even complete system control.
- This issue arises when an attacker injects malicious code into a web application’s template engine due to insufficient sanitisation of user input.
- Jinja2, a commonly used Python template engine, is one example that relies on expressions (values) and statements (logic flow) to create templates.
- An attacker can exploit template injection by manipulating a website’s templates to execute arbitrary commands, which may lead to full system control.
- A reward of $300 was given to a security researcher who responsibly reported this issue, making it a potential easy catch for other bug hunters.
By Abhijeet Kumawat
Original Article