ERB template false negative

[riramar]

TInjA is not able to identify the ERB template under https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic.

It seems the file https://github.com/Hackmanit/TInjA/blob/main/pkg/engines.go needs to be updated.
Thanks!

Best regards,
Ricardo Iramar

[m10x]

Hi, the polyglots were created using the https://github.com/Hackmanit/template-injection-playground. The ERB integration on the portswigger academy seems to differ. In one case it behaves strangely, e.g. %-2 is rendered as �. I did not find something about that behavior in the ERB doc. The erb implementation of Portswigger could be added to the cheatsheet and thus also to TInjA. However I'm unsure if it is really representative. The polyglot approach TInjA uses, is fast, but prone to false positives, if there are any (weird/unexpected) input/output transformations.