FreeMarker SSTI tricks FreeMarker SSTI tricks. GitHub Gist: instantly share code, notes, and snippets.

I recently found a blind FreeMarker SSTI on a bbp. It was not possible to RCE but I found some nice gadgets to enumerate accessible variables, read data blindly or perform some DoS. I documented that here if someone is interested
gist.github.com/n1nj4sec/5e3...

I talk about this on the pod all the time, but CSRF is dead simple. You just need to know the conditions.

I'm not gonna recite them again here, but today a new condition came up:

No Content-Type header -> no CSRF restrictions
Same-site: None
POST
= CSRF

The research:

👋

wow crazy trick !! thank you for sharing this Justin