Uber Jinja2 TTSI

On April 6, 2016, a bug bounty hunter named Orange Tsai published an SSTI vulnerability in the Uber application, which used the Flask Jinja2 template engine.

Orange Tsai entered, in the Name field, located in the Profile section in rider.uber.com, these numbers to be evaluated:

{{ '7'*7 }}

When he accepted the change, the application sent an email and, in the email's body, there appeared 7777777, the result:

Also, in the Uber application, the name of the user changed, showing how valid the action was:

So, he entered the following Python code:

{{ '7'*7 }}
{{ [].class.base.subclasses() }} # get all classes
{{''.class.mro()[1].subclasses()}} 
{%for c in [1,2,3] %}{{c,c,c}}{% endfor %}

The result was that he could extract all of the information about the currently running instance:

The tip you can use to detect this kind of vulnerability is to enter values that could be evaluated and show the result in a simple way, in this case, as integers in a multiplication.

If you want to read more about this, follow this post in HackerOne: https://hackerone.com/reports/125980.

Table of Contents for Uber Jinja2 TTSI

Create new playlist

Sign In

Sign Up

Table of Contents for
Uber Jinja2 TTSI