{{alert(’CSTI’)}}: Large-scale detection of client-side template injection

Template engines are software components that enable the creation of reusable HTML elements containing special keywords that can dynamically alter the page’s rendering based on the presented data. This technology is widely used in server-side applications and frameworks, and in recent years, it has also gained adoption on the client side through JavaScript frameworks and libraries. Client-Side Template Injection (CSTI) is a vulnerability that occurs when user input is reflected inside a template and rendered as part of it, allowing attackers to inject malicious instructions. This can trick the template engine into executing arbitrary JavaScript code, potentially leading to Cross-Site Scripting (XSS). Despite the widespread adoption of template engines in production websites, a comprehensive study of their characteristics remains absent. In our study, we begin by providing an overview of the main features of template engines, highlighting attributes that play a crucial role in escalating CSTI to XSS. We then use these extracted characteristics to develop a systematic methodology for detecting CSTI vulnerabilities. Based on this methodology, we create an automatic CSTI detection tool, CSTI-Alert. By running CSTI-Alert on the Tranco top 1 million domains, we identify 532 CSTI-vulnerable domains, with 72% directly leading to XSS through GET parameters or CSRF. Finally, we discuss potential approaches to defend against CSTI based on the result of our semi-automatic exploitability analysis.