# CSTI

It is like a [**Server Side Template Injection**](https://0xpthree.gitbook.io/notes/network-services/ports/80-443-http-s/web-vulnerabilities/ssti) but in the **client**. The **SSTI** can allow you to **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim.

The way to **test** for this vulnerability is very **similar** as in the case of **SSTI**, the interpreter is going to expect something to execute **between doubles keys** and will execute it. For example using something like: `{{ 7-7 }}` if the server is **vulnerable** you will see a `0` and if not you will see the original: `{{ 7-7 }}`.

## AngularJS

AngularJS is a popular JavaScript library, which scans the contents of HTML nodes containing the **`ng-app`** attribute (also known as an AngularJS directive). When a directive is added to the HTML code, **you can execute JavaScript expressions within double curly braces**.\
For example, if your **input** is being **reflected** inside the **body** of the HTML and the body is defined with `ng-app`: **`<body ng-app>`**

You can **execute arbitrary JavaScript** code using curly braces **adding** to the **body**:

```javascript
{{$on.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}
<input ng-focus=$event.view.alert('XSS')>
```

Test **basic examples online** here: <http://jsfiddle.net/2zs2yv7o/>