Jinja

Syntax

The content below is based on OffSec's WEB-200 course.

<h1>Hey {{ name }}</h1>
{% if reasons %}
Here are a couple of reasons why you are great:
<ul>
{% for r in reasons %}
  <li>{{r}}</li>
{% endfor %}
</ul>
{% endif %}

SSTI

The example below is based on OffSec's WEB-200 course.

Jinja uses Python which strictly handles variables, unline PHP, Java, and JavaScript, something we can use to identify it (Figure 1).

{{5*'5'}}

Figure 1: Identifying a Jinja templating engine.

Jinja is typically used with the Flask framework, and the latter sets six global variables: config, request, session, g, url_for(), and get_flashed_messages(). Therefore, another way to identify this templating engine is by accessing those variables (Figure 2).

Figure 2: Enumerating a Jinja templating engine via Flask's global variables.

The config global variable may contain application secrets, such as private keys or database passwords, so it is always a worthwhile check (Figure 3).

{{config|pprint}}

Figure 3: Inspecting the config global variable's contents

RCE is covered in WEB-300.