TInjA icon indicating copy to clipboard operation
TInjA copied to clipboard
verified publisher icon Hackmanit

ERB template false negative

Open riramar opened this issue 5 months ago • 1 comments

TInjA is not able to identify the ERB template under https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic.

Image Image

It seems the file https://github.com/Hackmanit/TInjA/blob/main/pkg/engines.go needs to be updated. Thanks!

Best regards, Ricardo Iramar

riramar avatar Aug 23 '25 21:08 riramar

Hi, the polyglots were created using the https://github.com/Hackmanit/template-injection-playground. The ERB integration on the portswigger academy seems to differ. In one case it behaves strangely, e.g. %-2 is rendered as . I did not find something about that behavior in the ERB doc. The erb implementation of Portswigger could be added to the cheatsheet and thus also to TInjA. However I'm unsure if it is really representative. The polyglot approach TInjA uses, is fast, but prone to false positives, if there are any (weird/unexpected) input/output transformations.

m10x avatar Sep 19 '25 14:09 m10x