ECHO is a deliberately vulnerable Flask web application designed as a sandbox environment for learning Server-Side Template Injection (SSTI).
This application is an educational tool and should never be deployed in a production environment.
You can run ECHO either using a docker or simply with a Python command. However, it is recommended to use dockers since running the application directly on your system could compromise it.
git clone https://github.com/SoePhonePyae/ssti_echo
cd appIf you don't have docker installed, you need to install it first to run the container.
Follow Docker installation procedure for installing docker based on your platform.
docker build -t echo .docker build:dockercommand to build a Docker image-t echo: Optional flag for naming a Docker container.: Directory in whichDockerfileis in (Current directory)
docker run -p 8000:8000 echodocker run:dockercommand to run a Docker container-p 8000:8000: Mapping of host port and container port (host:container)echo: Name of the Docker container you are running
After running the Docker container, you can simply browse http://127.0.0.1:8000/. If you specified a different port when you ran the Docker container, use that port number instead of 8000.
Container ID or name is required to stop a Docker image.
docker psdocker ps-dockercommand for listing containers
docker stop <container_id_or_name>docker stop:dockercommand for stopping containerscontainer_id_or_name: Container ID or name we get from running the previous command
ECHO is designed intentionally to be vulnerable to Server-Side Template Injection (SSTI) attacks for educational purposes. Please refrain from running the application in production environments.