Web application vulnerable to Python3 Flask SSTI (CVE-2019-8341)# Llama Facts
This project was originally created for the Rochester Institute of Technology (RIT) Women in Cybersecurity (WIYCS) 2022 CTF competition. It is vulnerable to Server-Side Template Injection (SSTI), defined in the disputed CVE CVE-2019-8341.
## Challenge Description
Description: A Computer Science 1 student created a website to showcase their newly-acquired python skills. Can you look into their search engine to ensure it is secure?
## Usage
Requires having docker engine installed and running.
`docker build -t wiycs_web . && docker run -p 5656:5656 -it wiycs_web`
Then navigate to `http://localhost:5656` and test your SSTI skills! Hopefully you'll learn a few llama facts along the way.
[4.0K] /data/pocs/b8e00d93e1903de69aafe82b3b83abbb9c835948
├── [ 69] build_run.sh
├── [ 257] Dockerfile
├── [ 22] flag.txt
├── [ 715] README.md
├── [4.0K] req
│ ├── [ 22] requirements.txt
│ └── [4.0K] whl
│ ├── [321K] click-8.0.3.tar.gz
│ ├── [614K] Flask-2.0.2.tar.gz
│ ├── [ 58K] itsdangerous-2.0.1.tar.gz
│ ├── [263K] Jinja2-3.0.3.tar.gz
│ ├── [ 18K] MarkupSafe-2.0.1.tar.gz
│ └── [874K] Werkzeug-2.0.2.tar.gz
├── [4.0K] src
│ ├── [4.0K] content
│ │ └── [2.7K] home.html
│ ├── [4.0K] css
│ │ └── [1.5K] css.css
│ ├── [4.8K] server.py
│ └── [4.0K] static
│ ├── [178K] fancy_llama.jpg
│ ├── [7.8K] fa_search.png
│ ├── [ 33K] llama1.jpg
│ ├── [ 74K] llama2.jpg
│ └── [129K] pineapple_llama.jpg
└── [1.2K] writeup.md
6 directories, 20 files