Outbox
A one-person email-newsletter tool. The compose page lets you preview your draft with sample subscriber data — and the developer wrote her own little template engine instead of pulling in Twig.
The Scenario
Outbox is a tiny email-newsletter SaaS run out of a Brooklyn apartment by Marisol Park. Seven dollars a month, send up to five thousand emails, no automation, no segmentation, no AI. Just a clean editor and a send button.
Marisol built the compose preview feature on a quiet Saturday. She wanted `{{name}}` substitution to work and thought Twig was overkill for something so simple. So she rolled her own — about twelve lines of PHP. The kind of thing nobody on Hacker News would ever endorse, but it works fine for her two hundred users and her own newsletter.
Sign up, draft something, and look at how the preview button handles what you give it.
Lab Intel
Synopsis
Find what one bad eval lets you do.
Architecture
A beginner-friendly PHP + Apache newsletter SaaS. The compose page renders a 'preview with sample subscriber' through a homemade twelve-line template engine that wraps `eval()`. The vuln syntax is `{{ ... }}`, the payload language is PHP, and the flag lives in a file the apache user can read.
Who It's For
Newcomers comfortable with one or two injection labs who are ready to step from data sinks (SQLi) and OS-command sinks (cmd injection) up to template-engine sinks. The sixth WebVerse foundational, after Flower, Overdue, Corridor, Quotin, and Tally.
Skills You'll Practice
- Spotting `{{...}}` syntax as a candidate template injection
- Confirming SSTI with a math-eval probe (`{{ 7*7 }}`)
- Escalating from arithmetic to PHP function calls
- Reading a flag from the filesystem via the template engine
What You'll Gain
- Vocabulary: SSTI, template injection, eval, RCE, sandbox escape
- A mental model that 'template engine' is a vuln class, not a brand
- Confidence with the PHP-side of an attack pattern that ships in Twig, Smarty, and home-rolled engines alike