Client Side Vulnerabilities / Client-Side Template Injection

Web and API

Description

Client-side template injection (CSTI) is a type of injection attack that occurs when user-supplied data is injected into a web template in a client-side context. This type of attack is particularly dangerous as it allows an attacker to inject malicious code into a web page that is then executed by the browser. CSTI is classified as a CWE-95 (Improper Neutralization of Data within a Web Page) vulnerability and is described in the OWASP Testing Guide as a type of injection attack that can occur when an application uses client-side templates to dynamically generate web pages. It can also be used by an attacker to bypass the same-origin policy, which limits the ability of web applications to access resources from other domains.

Risk

Client-side template injection is a high-risk vulnerability as it allows attackers to inject malicious code into web pages that can be executed by the browser. This can be used to bypass security controls, such as the same-origin policy, or to gain access to sensitive data, such as session cookies or other authentication tokens. It can also be used to launch more advanced attacks, such as cross-site scripting or DNS rebinding.

Solution

The best way to prevent client-side template injection attacks is to properly validate all user-supplied data. Input validation should include both type checking and pattern matching to ensure that only valid data is accepted. Additionally, template engines should be configured to escape all user-supplied data before it is rendered in the browser.

Example

The following code is an example of a vulnerable client-side template injection. The application is using a client-side template engine to render a page, but the user-supplied data is not being properly escaped.

<% userInput = request.getParameter("input"); %>
<html>
  <body>
    <p>Your input is: <%= userInput %></p>
  </body>
</html>

Related incidents

  1. In 2018, a client-side template injection flaw in the open source project Apache Wicket was exploited in the wild to inject malicious JavaScript code into webpages.
  2. In 2017, a client-side template injection vulnerability in the open source project AngularJS was exploited in the wild to inject malicious JavaScript code into webpages.
  3. In 2017, a client-side template injection vulnerability in the Node.js npm package "ejs" was exploited in the wild to inject malicious JavaScript code into webpages.
  4. In 2017, a client-side template injection vulnerability in the open source project Mustache.js was exploited in the wild to inject malicious JavaScript code into webpages.
  5. In 2017, a client-side template injection vulnerability in the open source project Vue.js was exploited in the wild to inject malicious JavaScript code into webpages.

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.