Handlebars

Syntax

The content below is based on OffSec's WEB-200 course.

The most popular Handlebars library is for JavaScript (handlebars.js), which allows for both client-side and server-side rendering.

<h1>Hello {{name}}</h1>
{{#if nicknames}}
Also known as:
  {{#each nicknames}}
    {{this}}
  {{/each}}
{{/if}}

SSTI

The example below is based on OffSec's WEB-200 course.

Handlebars "logic-less" design does not natively support functions that can lead to RCE. However, developers can add additional helpers that expose more of the underlying programming language to the template, such as handlebars-helpers. The latter includes the readdir which returns an array of files from the given directory (Figure 1.1) and the read function which is used to read system files (Figure 1.2).

{{#each (readdir "/etc")}}
  {{this}}
{{/each}}

{{read "/etc/passwd"}}

Figure 1: Leveraging the handlebars-helpers for reading system files.