Skip to main content



[SSTI] Breaking Go's template engine to get XSS

Hi, I recently started working with Go and decided to play around with it's in built packages for web related stuff. It's a very neat language which is easy to learn and implement. While looking at the web development side of the language, I came across the package for templates. My first thought was to see if I could get an SSTI to work in it, but sadly I couldn't find any resources online. Through some thorough reading of the templating documentation and some bypasses, I was able to successfully achieve XSS. This blogpost signifies the process of finding and exploiting an SSTI in a server written in Go.
Introduction to Go's templating engine Go provides two templating packages. One is text/template and the other is html/template. The text/template package has no protections for XSS or any kinds of HTML encoding whatsoever. This isn't suited for building web apps, but instead for use in different apps which don't require processing of HTML. The second package…

Latest Posts

Introducing Slacker: Monitoring subdomain additions in real time and automating directory scanning

Escalating subdomain takeovers to steal cookies by abusing document.domain

Got my OSCP cert!

Unauthorised file upload in site

Web cache deception in Valve

Private video info disclosure through API in Vimeo!

XSS in Paypal acquisition!