Client Side Template Injection (CSTI)
Last updated
Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
It is like a but in the client. The SSTI can allow you to execute code on the remote server, the CSTI could allow you to execute arbitrary JavaScript code in the victim's browser.
Testing for this vulnerability is very similar as in the case of SSTI, the interpreter expects a template and will execute it. For example, with a payload like {{ 7-7 }}
, if the app is vulnerable you will see a 0
, and if not, you will see the original: {{ 7-7 }}
AngularJS is a widely-used JavaScript framework that interacts with HTML through attributes known as directives, a notable one being ng-app
. This directive allows AngularJS to process the HTML content, enabling the execution of JavaScript expressions inside double curly braces.
In scenarios where user input is dynamically inserted into the HTML body tagged with ng-app
, it's possible to execute arbitrary JavaScript code. This can be achieved by leveraging the syntax of AngularJS within the input. Below are examples demonstrating how JavaScript code can be executed:
Payload:
You can find a very basic online example of the vulnerability in AngularJS in and in
so from this version a payload like {{constructor.constructor('alert(1)')()}}
or <input ng-focus=$event.view.alert('XSS')>
should work.
You can find a vulnerable Vue implementation in Working payload:
And the source code of the vulnerable example here:
A really good post on CSTI in VUE can be found in
Credit:
Credit:
Check more VUE payloads in
More payloads in
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.