Tags: flask ssti web jinja2 

Rating: 5.0

## Observation
* We can make use of the `config` object in Flask. It is an object that stores the server's configuration. This object has an interesting method update that we can use to store any variable in the configuration object.
```
config.update(key = value)
```
* Notice the dot in `{adjective}.{person}` . We can use this dot as part of the template, extending the length of our input!
* Jinja, which is the template engine for Flask, support declaring variables inside the template with the syntax `{% set foo='bar' %}`

## Idea
* Use variables in Jinja template to reduce the characters we needed to type. For an example, instead of `config.__class__` we `{% set x=config %}` then use `x.__class__` instead. 5 characters saved!
* Of course, it is impossible to reach `popen('ls').read()` by doing #1 alone - we have only 5 input fields. Instead, we will store the variable in Flask's config . By doing so, we can recall the variable later and continue until the payload is complete.

Original writeup (https://anakint.medium.com/digital-overdose-2021-autumn-ctf-writeup-madlib-web-c51c5ded5260).