Limitations Are Just An Illusion: Brumens on Leveraging Advanced SSTI Exploitation to Achieve RCE

Alex Brumen aka Brumens, YesWeHack's Researcher Enablement Analyst, discussed how "Limitations are just an illusion" during the security conference Ekoparty 2024 in Buenos Aires. This talk explains some new techniques for exploiting server-side template injections (SSTIs) with complex, unique payloads that leverage default methods and syntax from various template engines. It even shows how to do so without needing any quotation marks or extra plugins within the templates. Brumens details how the payloads were discovered and how each payload was able to achieve Remote Code Execution (RCE) despite all the limitations. If you're interested in watching the other talks presented at Ekoparty, check out their YouTube channel: @EkopartyConference #BugBounty #BugBountyTips #YesWeRHackers #SSTI #RCE