9.5.3
Creating string variables of the attributes we need to access is only one option to bypass the SSTI filter. If the developers replace the filter from “.” to “”, our payload would not work any longer. Using the Jinja documentation, find another method to exploit the filter that does not set the string variables for the attributes directly in the template. For this Extra Mile, the template should only contain the following expression: “string|attr(class)”.
Source: https://medium.com/@nyomanpradipta120/jinja2-ssti-filter-bypasses-a8d3eb7b000f
{% set string = "ssti" %}
{% set class = "\x5f\x5fmro\x5f\x5f"%}
{{string|attr(class)}}