Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Identify the template engine in the "Server-side template injection using documentation"-Lab

Janosch | Last updated: May 23, 2021 02:20PM UTC

The solutions suggest provoking a syntax/undefined variable error, because the error message gives a hint to the used template engine. When I do that I get an HTTP 500 with the message "Internal server error", no additional headers or anything else. I appreciate any hints, thanks!

Ben, PortSwigger Agent | Last updated: May 24, 2021 10:04AM UTC

Hi, Can you clarify exactly what steps you have used to attempt to generate the error message that should provide you with details of the template being used?

Janosch | Last updated: May 24, 2021 01:53PM UTC

Hi, thanks for your reply. Heres what I did and observed: 1. Login and go to the Template Editing for a product (/product/template?productId=X) 2. Add something like ${lol} to the text 3. Click 'Save' 4. Redirect to product page (/product?productId=X) that shows the aformentioned Internal Server Error message 5. Same message for revisiting the template view for that product The same message also appears when using the preview function. With the only difference, that there is no redirect. This what I did initially and up on reading the solution understand to be what you should be doing to solve it anyway.

Hannah, PortSwigger Agent | Last updated: May 25, 2021 03:25PM UTC

Hi We've replicated your issue, and we're investigating further. We'll let you know when we have some further feedback.

Ben, PortSwigger Agent | Last updated: May 26, 2021 12:48PM UTC

Hi, Just to confirm that we believe that this is a bug in this particular lab and we have raised a bug report for our developers to investigate. They are currently looking into this issue and we will update this thread when a fix has been implemented.

Janosch | Last updated: May 26, 2021 12:59PM UTC

Thanks for looking into this. If it turns out to be indeed a bug, it might be possible that the Lab "Server-side template injection in a sandboxed environment" has the same problem. Though, there the engine is named in the description. I'm not positive how the error messages look, but they might help to differentiate between making a syntax error and a "something is undefined/not allowed" error and thus are welcome there too.

Ben, PortSwigger Agent | Last updated: May 27, 2021 09:12AM UTC

Hi, We will take a look at the other lab that you have mentioned and get back to you.

Ben, PortSwigger Agent | Last updated: May 28, 2021 10:27AM UTC

Hi, It looks like the Server-side template injection in a sandboxed environment lab is functioning as expected and can be solved using the solution provided. Are you experiencing a specific issue with this particular lab?

Janosch | Last updated: Jun 06, 2021 10:54AM UTC