Exploiting Client-Side Template Injection (CSTI) for Bug Bounty

Listen to this Post

In a recent bug bounty discovery, a security researcher identified a Client-Side Template Injection (CSTI) vulnerability. The researcher tested the vulnerability by entering `{{7*7}}` in the email field of a forgot password form, which resulted in the server rendering 49. This confirmed the presence of CSTI, and the researcher was awarded a $100 bounty.

You Should Know:

Client-Side Template Injection (CSTI) occurs when user input is dynamically rendered in a template engine without proper sanitization. This can lead to arbitrary code execution on the client side. Below are some commands and code snippets to help you understand and exploit CSTI vulnerabilities:

1. Identifying CSTI:

  • Enter payloads like `{{7*7}}` or `{{‘7’*7}}` in input fields and check the response.
  • Use browser developer tools (Inspect Element) to analyze the rendered output.

2. Exploiting CSTI:

  • Example payload for AngularJS: `{{constructor.constructor(‘alert(1)’)()}}`
    – Example payload for Jinja2 (Python): `{{config.items()}}`

3. Testing for CSTI:

  • Use tools like Burp Suite or OWASP ZAP to automate payload injection.
  • Example Burp Suite payload: `{{7*7}}`

4. Mitigation:

  • Sanitize user input before rendering it in templates.
  • Use secure template engines that automatically escape user input.

What Undercode Say:

Client-Side Template Injection (CSTI) is a critical vulnerability that can lead to severe consequences if left unaddressed. Always sanitize user input and use secure template engines to prevent such vulnerabilities. Below are some additional Linux and Windows commands related to web application security:

  • Linux Commands:
    – `curl -X POST -d “email={{7*7}}” http://example.com/forgot-password` (Test CSTI via command line)
    – `grep -r “template” /var/www/html` (Search for template files in a web directory)
  • `nikto -h http://example.com` (Scan for vulnerabilities)

  • Windows Commands:
    – `Invoke-WebRequest -Uri http://example.com/forgot-password -Method POST -Body “email={{7*7}}”` (Test CSTI via PowerShell)
    – `dir /s *.template` (Search for template files in a directory)

For further reading on CSTI and bug bounty techniques, visit:
OWASP Template Injection
PortSwigger CSTI

References:

Reported By: Shivangmauryaa Bounty – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

Whatsapp
TelegramFeatured Image