During his Black Hat 2015 presentation, James Kettle explained how template injections could lead to code execution. At the end of the talk, he recommended running application in containers with limited privileges and read-only file system.
Six years later, containers are now the standard of web-app deployment and getting code execution inside a well isolated container can be seen as low impact. In this workshop we will explore new template injection techniques specially crafted for hardened environment.
We will focus on two environments:
• Python with Flask / Jinja2
We will build our own tooling in Python to solve a series of challenges with increasing difficulty.
Required for the workshop:
• Basic Docker skill