SecLists/Fuzzing/template-engines-expression.txt

42*42
{42*42}
{{42*42}}
{{{42*42}}}
#{42*42}
${42*42}
<%=42*42 %>
{{=42*42}}
{^xyzm42}1764{/xyzm42}
${donotexists|42*42}
[[${42*42}]]
Add a version of the payload for CodeContext Add the payload "42*42" to the fuzzing list in order to cover the "Code context" detection point mentioned in the https://portswigger.net/web-security/server-side-template-injection training 2020-04-25 09:13:06 +02:00			`42*42`
Add a initial collection of template engines expression 2020-04-18 17:16:20 +02:00			`{42*42}`
			`{{42*42}}`
			`{{{42*42}}}`
			`#{42*42}`
			`${42*42}`
			`<%=42*42 %>`
Add the expression for the doT engine 2020-05-03 10:30:48 +02:00			`{{=42*42}}`
Add the expression for the Dust engine 2020-05-03 10:52:17 +02:00			`{^xyzm42}1764{/xyzm42}`
Add expression for Velocity engine 2020-09-13 09:33:41 +02:00			`${donotexists\|42*42}`
Add an expression using expression inlining for Thymeleaf See https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#expression-inlining Added it because I have discovered that, when StringTemplateResolver is used, then expression like ${42*42} is not resolved 2020-09-13 11:04:15 +02:00			`[[${42*42}]]`