Client Side Template Injection (CSTI)
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Deepen your expertise in Mobile Security with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
It is like a Server Side Template Injection but in the client. The SSTI can allow you to execute code on the remote server, the CSTI could allow you to execute arbitrary JavaScript code in the victim's browser.
Testing for this vulnerability is very similar as in the case of SSTI, the interpreter expects a template and will execute it. For example, with a payload like {{ 7-7 }}
, if the app is vulnerable you will see a 0
, and if not, you will see the original: {{ 7-7 }}
AngularJS is a widely-used JavaScript framework that interacts with HTML through attributes known as directives, a notable one being ng-app
. This directive allows AngularJS to process the HTML content, enabling the execution of JavaScript expressions inside double curly braces.
In scenarios where user input is dynamically inserted into the HTML body tagged with ng-app
, it's possible to execute arbitrary JavaScript code. This can be achieved by leveraging the syntax of AngularJS within the input. Below are examples demonstrating how JavaScript code can be executed:
You can find a very basic online example of the vulnerability in AngularJS in http://jsfiddle.net/2zs2yv7o/ and in Burp Suite Academy
Angular 1.6 removed the sandbox so from this version a payload like {{constructor.constructor('alert(1)')()}}
or <input ng-focus=$event.view.alert('XSS')>
should work.
You can find a vulnerable Vue implementation in https://vue-client-side-template-injection-example.azu.now.sh/
Working payload: https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%
And the source code of the vulnerable example here: https://github.com/azu/vue-client-side-template-injection-example
A really good post on CSTI in VUE can be found in https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets
Credit: Gareth Heyes, Lewis Ardern & PwnFunction
Credit: Mario Heiderich
Check more VUE payloads in https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected
Payload:
More payloads in https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations
Deepen your expertise in Mobile Security with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)