portswigger-all-labs

Complete PortSwigger Web Security Academy Lab Writeups Detailed, categorized solutions for every lab — from APPRENTICE to EXPERT — covering all 30 vulnerability types.

View on GitHub

Labs Covered

This write-up focuses on the following PRACTITIONER-level labs from the PortSwigger Web Security Academy related to Server-side template injection (SSTI):

1 Basic server-side template injection

This lab demonstrates how attackers can inject server-side template expressions to execute arbitrary code or access sensitive data.

2 Basic server-side template injection (code context)

This lab shows SSTI exploitation when template expressions are directly evaluated in code execution context.

3 Server-side template injection using documentation

This lab demonstrates how official template engine documentation can help attackers craft effective SSTI payloads.

4 Server-side template injection in an unknown language with a documented exploit

This lab explores how attackers can exploit SSTI in template engines even when the backend language is unknown, by leveraging known techniques.

5 Server-side template injection with information disclosure via user-supplied objects

This lab demonstrates how attackers can supply specially crafted objects to disclose information during SSTI exploitation.

LAB 1 - Basic server-side template injection

Lab Description

image

Solution

When I clicked blow image the message comon above I Unfortunately product is out of stock appear

image

Now I try all payload but I find below paylaod is evaluted ,So now I goto hacktrick to knew what tempalte it is.

image

Now search in hactrick but we have two more,So look closely while selecting syntax proper testing should be performed

image

Now to confirm this we add whoami wrong and error tell use this is ruby

image

So now we do whoami and give us carlos so now we have to remove morale.txt to solved the lab

image

Remove `morale.txt`  and lab is solved

image

image

LAB 2 - Basic server-side template injection (code context)

Lab Description

image

Solution

While commenting none of payload is not working

image

I enter submit and the look at burp intercept

image

As we see user.template look like template

image

So now have comment above we will manipulate user.name with wrong things so where our user is coming where we comment it so there our name is will genrate error and we will get the template of our website which is tarnado python

image

image

Now we will run so it will get the whami result

image

How we carfted payload

image

So when we run os command below result we can see whoami result carlos

image

Now remove moral.txt and get flag

image

image

LAB 3 - Server-side template injection using documentation

Lab Description

image

Solution

So when we edit template and give wrong object instance of name give it king then it will gives us error and and template name

image

Now the error will tell us the template being used which is freemarker java now we will search on hacktricks

image

So we will used below template

image

As we can see result 49 is coming when we save it

image

So we used free mark payload of ssti and get carlos as shown below now we will remove morla.txt and lab will be solved

image

LAB 4 - Server-side template injection in an unknown language with a documented exploit

Lab Description

image

Solution

When click on first product we see the unfortunaltly product is out of stock so our click is reflected we can try ssti

image

We have this but when I change input it is not reflected so we will not get ssti so we will look at where our input is reflected.

image

So instance of clicked at product reload page and intercept it through burp and say that our input is reflected so we can try our ssti here

image

Now when we try our first payload it gives us error which will reveal it template which is handler bar oin node js then used hacktricks to find template and get it

image

image

We get same result

image

In exec whaomi command below result will come

image

So when I enter rm /home/ it will delete moral.txt

image

The reason it thing error is coming because obsfucation is used for external connection so we can also curl the domain and gets its ip.

image

Copy above paylaod in message box and get the result and submit it and lab will be solved

image

LAB 5 - Server-side template injection with information disclosure via user-supplied objects

Lab Description

image

Solution

When I am giving invalid template it is giving me nothing as shown below.

image

But when I am giving nothing in template it is givng me error and with tempalte being used:

image

Below is error message which is telling django template in python.

image

Now when we search on hacktrick but did not find anyting so we search on google so we used <% debug %> to get debugging info.

image

We will get debug info

image

Some code of config file as shown below

image

Now I paste this in chatgpt and bard and ask how do I get secret key and got that

So we have setting parmater set so we used it get the secret key

image

An get the secret key as shown in corner highlight in blue we used settings.secret key template we get secret key B470kmufjldtcwixfwlhiyhfalliat62 and then lab is solved

image