On July 8, 2018, a bug bounty hunter called Jedna Linijka published an SSTI vulnerability in Yahoo.

Using recognized tools, he found the http://datax.yahoo.com/swagger-ui.html URL, which showed him a 403 error code:

Taking this error as a starting point, he discovered that DataX is an API. He read the documentation and tested the different entry points he found. As a result, he got the next error page when trying the entry points:

The important result on this page is that it reflects the value entered by the user. First, he tried the testing string, ${7*7}, and got the next page:

The vulnerability was confirmed, so after that he entered a JavaScript line to exploit it:

${T(java.lang.System).getenv()}

With that, he got the information directly off of the system:

This is an interesting vulnerability and it's derived from a forgotten URL. As a tip for exploiting SSTI vulnerabilities, read the documentation when you detect which technology is used by the application. In this case, he read the API documentation to know how to pass different values and consume the entry points.