Open sectroyer opened 1 year ago
Handlebars is not supported by SSTImap yet, so it can cause incorrect detections. tpl-shell might work, if you write Handlebars code in it according to the detected context. I will probably add Handlebars soon, but I need to do some research for that.
I was testing SSTImap with PortSwiggers Server-side template injection in an unknown language with a documented exploit (https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-in-an-unknown-language-with-a-documented-exploit) lab and noticed some issues. First of all Handlebars engine was detected as Dust but it might because both are nodejs based. Second issue there was no cmd/shell support for this plugin. I tried using tpl-shell but only got some exception.