W-SSTI-FLASKExecution

SSTI — Jinja2 / Flask

Server-Side Template Injection via {{ }} — escape the sandbox via __class__.__mro__ or config.from_pyfile to reach exec.

§ Where this technique fits

W-SSTI-FLASK is catalogued under the Execution tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

SSTI (Jinja2) → sandbox escape → RCE
User input rendered as a Jinja2 template instead of escaped. Escape the sandbox via __class__.__mro__ to reach subprocess and execute commands.
step 2 / 6

§ What commonly comes next

01
OS Command Injection
W-CMDI · Execution
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

SSTI (Jinja2) → sandbox escape → RCE

§ What commonly comes next