@@sukremez1870 I got you back . If you test any application you just gather info about the technology they used . Then you are testing like hit and trail . Everything about the website you have to test for different aspects in a different manner .if you don't know where you want to test.you just read the documentation of the website you are testing . It would help you what endpoint and what was the details fetch from backend to front end simple how it is working . And that was the phase where I discovered the first name and second name is vulnerable to SSTI.then I check what was they used template to process the data .then I got to know it was Jinja2 instances template is used . Then I tried a simple payload. And it worked . Then I dig deep to escalate into RCE. I hope I just clear your question

@@A9x-AkhilReddy aight got it

@@gk_eth I show a simple payload in this poc . I cut the interesting part I escalate into RCE

@@A9x-AkhilReddy if rce, got bounty then? if yes, does this website have bounty program in hackerone/bugcrowd? or no?

@@user-mo8uj9vq5u thanks for the Collab request. I escalate into RCE for jinja2 instances I cut the part and just uploaded. If I got anything I will Collab . Try to drop the social media link to contact you . Any way they scammed me for not getting any response from their side.

@@A9x-AkhilReddy u have twitter ill add u