CSTIAnother way to XSS

For WebVillage

A talk by Egor Karbutov @ShikariSenpai

• @ShikariSenpai • Penetration tester @ Digital Security • Speaker • Bug Hunter

$ Whoami

• CSTI • AngularJS • Sandbox bypass • Sanitizer problems • CSP

Agenda

CSTI• CSTI = Client-Side Template Injection  • Summon when SSTI not working 😊 or not • Typical of a JavaScript MVC frameworks and templating

libraries • Looks like • {{1+1}} = {{2}}

MVC Frameworks• VueJS • AngularJS • CanJS • Underscore.js • KnockoutJS • Ember.js • Polymer • Ractive.js • jQuery • JsRender • Kendo UI

• More information on mustache-security • https://code.google.com/archive/p/mustache-security/

• Popular JavaScript MVC/MVW • Superheroic Framework! (c) Goolge • Maintained by Google • For client-side-heavy single page applications • A large community and a huge number of commits • Have API for DOM manipulation • Not a classical application implementation scheme • Static-static

What is AngularJS?

• High security standard • Have HTML Sanitizer by default • Support CSP • If the rules are being followed • Use the latest AngularJS possible (or Angular 2.0)

AngularJS Security Philosophy

https://docs.angularjs.org/guide/security

• AngularJS Sandbox is not a security features • To prevent access to global JS properties • «Don’t use DOM, use our API». DOM full of crap • But developers rely on Sandbox • We have so many bypass for AngularJS Sandbox

AngularJS Sandbox

• Search Angular script src

• Search «ng-app»

How to detect AngularJS

• https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf

• Dynamic template generation • Easy fuzz, easy life • {{11*11}} = {{121}}

• You can’t detect CSTI with Burp Repeater • Why? It’s client side dude! •  You need a browser

• Check version and test-test-test expressions

How to detect CSTI

• Don’t have XSS!

First example

• Yep, it’s XSS!

First example

• Everything inside {{ and }} is treated as AngularJS expression • We have object scope • {{username}} = scope.username • {{alert(1)}} scope doesn’t have alert object • But every scope object in JS has constructor • And constructor.constructor = eval();

First bypass

• {{constructor.constructor(‘alert(1);)()}}

• Working 1.0, fixed 1.2.0

First Bypass

More difficult

• https://www.youtube.com/watch?v=U4e0Remq1WQ

And more

• https://www.youtube.com/watch?v=U4e0Remq1WQ

And more

• https://www.youtube.com/watch?v=U4e0Remq1WQ

Go away sandbox!

• Payload for 1.6 = {{constructor.constructor(‘alert(1);)()}} • The aim was to provide feedback to the developer to prevent

them from inadvertently designing applications that would be difficult to test and maintain. Not for security! • Control expressions like classic XSS • Use static template!

Go away sandbox!

Payload without quote

• http://blog.portswigger.net/2016/04/adapting-angularjs-payloads-to-exploit.html

HTML Sanitizer• By default sanitize user input • no characters for classic XSS like ><

• But developer can make a mistake, if he want inject html + user input

HTML Sanitizer

• https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf

HTML Sanitizer

• https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf

HTML Sanitizer• Bad functions • UserInput • Element.html • trustAsHtml • escapeForHtml

• Good functions • ngBindHtml with ngSanitize

• https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf

Check CSP

Conclusion• Sandbox isn’t security feature • All sandbox versions are bypassed • Many sites have old version Angular JS • Many sites have dynamic template generations • HTML sanitizer isn’t panacea • CSP is hard

• Securing AngularJS Applications • https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf

• An Abusive Relationship with AngularJS v2 • https://www.youtube.com/watch?v=U4e0Remq1WQ

• XSS without HTML: Client-Side Template Injection with AngularJS • http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html

• Developer guide. Security • https://docs.angularjs.org/guide/security

• Adapting AngularJS Payloads to Exploit Real World Applications • http://blog.portswigger.net/2016/04/adapting-angularjs-payloads-to-exploit.html

• Test your payloads • http://liveoverflow.com/angularjs/

Useful links

Questions?@ShikariSenpai