A1: Injection


Hello,


Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

This is a demonstration of an Server-Side Template Injection (SSTI). The main goal of the attacker is to try to inject code in the hopes to execute it remotely. Popular web frameworks such as Flask uses Templating engines such as Jinja2 that can be exploited by this attack if not implemented carefully.