# CSTI

It is like a [**Server Side Template Injection**](/notes/network-services/ports/80-443-http-s/web-vulnerabilities/ssti.md) but in the **client**. The **SSTI** can allow you to **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim.

The way to **test** for this vulnerability is very **similar** as in the case of **SSTI**, the interpreter is going to expect something to execute **between doubles keys** and will execute it. For example using something like: `{{ 7-7 }}` if the server is **vulnerable** you will see a `0` and if not you will see the original: `{{ 7-7 }}`.

## AngularJS

AngularJS is a popular JavaScript library, which scans the contents of HTML nodes containing the **`ng-app`** attribute (also known as an AngularJS directive). When a directive is added to the HTML code, **you can execute JavaScript expressions within double curly braces**.\
For example, if your **input** is being **reflected** inside the **body** of the HTML and the body is defined with `ng-app`: **`<body ng-app>`**

You can **execute arbitrary JavaScript** code using curly braces **adding** to the **body**:

```javascript
{{$on.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}
<input ng-focus=$event.view.alert('XSS')>
```

Test **basic examples online** here: <http://jsfiddle.net/2zs2yv7o/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xpthree.gitbook.io/notes/network-services/ports/80-443-http-s/web-vulnerabilities/csti.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.