Client Side Template Injection (CSTI)
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Summary
It is like a Server Side Template Injection but in the client. The SSTI can allow you to execute code on the remote server, the CSTI could allow you to execute arbitrary JavaScript code in the victim's browser.
Testing for this vulnerability is very similar as in the case of SSTI, the interpreter expects a template and will execute it. For example, with a payload like {{ 7-7 }}
, if the app is vulnerable you will see a 0
, and if not, you will see the original: {{ 7-7 }}
AngularJS
AngularJS is a widely-used JavaScript framework that interacts with HTML through attributes known as directives, a notable one being ng-app
. This directive allows AngularJS to process the HTML content, enabling the execution of JavaScript expressions inside double curly braces.
In scenarios where user input is dynamically inserted into the HTML body tagged with ng-app
, it's possible to execute arbitrary JavaScript code. This can be achieved by leveraging the syntax of AngularJS within the input. Below are examples demonstrating how JavaScript code can be executed:
You can find a very basic online example of the vulnerability in AngularJS in http://jsfiddle.net/2zs2yv7o/ and in Burp Suite Academy
Angular 1.6 removed the sandbox so from this version a payload like {{constructor.constructor('alert(1)')()}}
or <input ng-focus=$event.view.alert('XSS')>
should work.
VueJS
You can find a vulnerable Vue implementation in https://vue-client-side-template-injection-example.azu.now.sh/
Working payload: https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%
And the source code of the vulnerable example here: https://github.com/azu/vue-client-side-template-injection-example
A really good post on CSTI in VUE can be found in https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets
V3
Credit: Gareth Heyes, Lewis Ardern & PwnFunction
V2
Credit: Mario Heiderich
Check more VUE payloads in https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected
Mavo
Payload:
More payloads in https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations
Brute-Force Detection List
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Last updated