Second-order SSTI (stored draft, rendered later)

/second-order · sink: stored snippet -> render_template_string in a later request

Save endpoint stores raw template text; preview endpoint renders it.

1. Save a draft


2. Preview a draft


Existing drafts: check-2137-1778710018969260281

Hint

Save a draft whose body is an SSTI payload, e.g. {{ config['VULNLAB_SSTI_SECOND_ORDER'] }}, then GET /second-order/preview?id=<the key you used>. Storage and render live in different endpoints; a per-sink scanner that only inspects render_template_string callers will miss the cross-endpoint flow.

View source → · /meta/second-order