Dylan is a Technical Lead at Leviathan Security Group. Previously he's worked in defensive security, and as a software engineer. He's engaged with the security community for several years, largely through open source contributions and research. Through these roles, he's worked extensively with a broad variety of web application technologies and languages, both for building, and breaking software.
In this talk, I'll begin by explaining what templating engines are, what need they serve, and detail where templates are generally used. I'll then discuss how bugs in these systems can arise, how they can be detected as an attacker, and how they can be exploited. I'll also discuss significant examples of template injection bugs, such as Log4Shell, and talk about how they were exploited and fixed.