# CSTI

### <mark style="color:yellow;">Angular Basics</mark>

#### Description

Angular is a client-side template framework and you can embed user input into these templates.

#### Template

An HTML snippet that tells Angular how to render the component in an Angular application.

* allows to dynamically generate HTML code based on the arguments passed to it.
* Ex: \<h1>Welcome {{Username}}!\</h1>

#### Expressions

Expressions are Javascript-like code snippets that can contain literals, operators, and variables.

* Angular expressions are evaluated against the Scope object.
* Ex: “{{Username}}”

#### Scope Object

The scope is just an object and you can define variables and functions in it.

By default, the scope object contains another object called “constructor” which contains a function also called "constructor":

* used to dynamically generate and execute code.

<figure><img src="/files/Dxbrel3QiREwyq8ZXZ4W" alt=""><figcaption></figcaption></figure>

### <mark style="color:yellow;">CSTI</mark>

#### Description

Arises when applications using a client-side template framework dynamically embed user input in web pages.

#### Impact

Used to trigger XSS payloads.

#### Indicators

Try to use the expression “{{1+1}}” which gets evaluated to “2” -> app vulnerable to CSTI.

#### Prevention

Using sandbox.

### <mark style="color:yellow;">CSTI (XSS)</mark>

💡NOTE: search for sandbox bypass for the Angular version to get the XSS payload to execute.

Inject an Angular expression payload:

* {{constructor.constructor('alert(1)')()}}

<figure><img src="/files/bCG4eoT6wVvKUXbbEQCu" alt=""><figcaption></figcaption></figure>

The page causes the application to dynamically generate and execute our payload!


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://yasmeen-rezk.gitbook.io/my-notes/bug-bounty-playbook-v2/more-owasp/csti.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.