📖

Client Side Template Injection (CSTI)

Formula

Group

Pentest

Keywords

AttackInformation disclosure

Last edited time

Jun 25, 2024 11:33 AM

Slug

Status

Draft

Title

Code inside page

Github

👉 Overview
👀 What ?
🧐 Why ?
⛏️ How ?
⏳ When ?
⚙️ Technical Explanations
🖇️ References

👉 Overview

👀 What ?

Client Side Template Injection (CSTI) is a form of web vulnerability that occurs when an attacker is able to inject data into a template that's rendered on the client's side. The user's browser interprets this data as part of the template, allowing the attacker to execute arbitrary JavaScript in the user's browser.

🧐 Why ?

Understanding CSTI is crucial because it poses a serious security threat. By exploiting this vulnerability, attackers can execute unwanted actions on behalf of the user, steal sensitive data, or even take over user accounts. Therefore, any web application that uses client-side templates needs to guard against this vulnerability.

⛏️ How ?

To protect against CSTI, you need to ensure that user-supplied input is properly sanitized before it's included in a template. This means removing or escaping any characters that have special meaning in the template language. Additionally, use Content Security Policy (CSP) to restrict the types of content that can be executed in the user's browser. Also, always keep your template libraries up-to-date to benefit from the latest security fixes.

⏳ When ?

CSTI vulnerabilities have been a concern since the advent of client-side rendering, which became popular with the rise of JavaScript libraries and frameworks like AngularJS and React in the mid-2010s.

⚙️ Technical Explanations

CSTI occurs when an application includes user input in a client-side template in an unsafe way. The attacker can inject template directives, which will be executed by the template engine in the user's browser. For example, in an AngularJS application, the attacker could inject a string like '{{constructor.constructor('alert(1)')()}}', which would cause an alert box to pop up when the template is rendered. The severity of the vulnerability depends on the capabilities of the template engine and the context in which the injection occurs. In the worst case, it can lead to full JavaScript code execution, and thus to Cross-Site Scripting (XSS) vulnerabilities.