Another way to XSS For WebVillage - 2017.zeronights.org · MVC Frameworks • VueJS • AngularJS...
-
Upload
hoangkhanh -
Category
Documents
-
view
232 -
download
0
Transcript of Another way to XSS For WebVillage - 2017.zeronights.org · MVC Frameworks • VueJS • AngularJS...
CSTIAnother way to XSS
For WebVillage
A talk by Egor Karbutov @ShikariSenpai
• @ShikariSenpai • Penetration tester @ Digital Security • Speaker • Bug Hunter
$ Whoami
• CSTI • AngularJS • Sandbox bypass • Sanitizer problems • CSP
Agenda
CSTI• CSTI = Client-Side Template Injection • Summon when SSTI not working 😊 or not • Typical of a JavaScript MVC frameworks and templating
libraries • Looks like • {{1+1}} = {{2}}
MVC Frameworks• VueJS • AngularJS • CanJS • Underscore.js • KnockoutJS • Ember.js • Polymer • Ractive.js • jQuery • JsRender • Kendo UI
• More information on mustache-security • https://code.google.com/archive/p/mustache-security/
• Popular JavaScript MVC/MVW • Superheroic Framework! (c) Goolge • Maintained by Google • For client-side-heavy single page applications • A large community and a huge number of commits • Have API for DOM manipulation • Not a classical application implementation scheme • Static-static
What is AngularJS?
• High security standard • Have HTML Sanitizer by default • Support CSP • If the rules are being followed • Use the latest AngularJS possible (or Angular 2.0)
AngularJS Security Philosophy
https://docs.angularjs.org/guide/security
• AngularJS Sandbox is not a security features • To prevent access to global JS properties • «Don’t use DOM, use our API». DOM full of crap • But developers rely on Sandbox • We have so many bypass for AngularJS Sandbox
AngularJS Sandbox
• Search Angular script src
• Search «ng-app»
How to detect AngularJS
• https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf
• Dynamic template generation • Easy fuzz, easy life • {{11*11}} = {{121}}
• You can’t detect CSTI with Burp Repeater • Why? It’s client side dude! • You need a browser
• Check version and test-test-test expressions
How to detect CSTI
• Don’t have XSS!
First example
• Yep, it’s XSS!
First example
• Everything inside {{ and }} is treated as AngularJS expression • We have object scope • {{username}} = scope.username • {{alert(1)}} scope doesn’t have alert object • But every scope object in JS has constructor • And constructor.constructor = eval();
First bypass
• {{constructor.constructor(‘alert(1);)()}}
• Working 1.0, fixed 1.2.0
First Bypass
More difficult
• https://www.youtube.com/watch?v=U4e0Remq1WQ
Go away sandbox!
• Payload for 1.6 = {{constructor.constructor(‘alert(1);)()}} • The aim was to provide feedback to the developer to prevent
them from inadvertently designing applications that would be difficult to test and maintain. Not for security! • Control expressions like classic XSS • Use static template!
Go away sandbox!
Payload without quote
• http://blog.portswigger.net/2016/04/adapting-angularjs-payloads-to-exploit.html
HTML Sanitizer• By default sanitize user input • no characters for classic XSS like ><
• But developer can make a mistake, if he want inject html + user input
HTML Sanitizer
• https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf
HTML Sanitizer
• https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf
HTML Sanitizer• Bad functions • UserInput • Element.html • trustAsHtml • escapeForHtml
• Good functions • ngBindHtml with ngSanitize
• https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf
Check CSP
Conclusion• Sandbox isn’t security feature • All sandbox versions are bypassed • Many sites have old version Angular JS • Many sites have dynamic template generations • HTML sanitizer isn’t panacea • CSP is hard
• Securing AngularJS Applications • https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf
• An Abusive Relationship with AngularJS v2 • https://www.youtube.com/watch?v=U4e0Remq1WQ
• XSS without HTML: Client-Side Template Injection with AngularJS • http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html
• Developer guide. Security • https://docs.angularjs.org/guide/security
• Adapting AngularJS Payloads to Exploit Real World Applications • http://blog.portswigger.net/2016/04/adapting-angularjs-payloads-to-exploit.html
• Test your payloads • http://liveoverflow.com/angularjs/
Useful links
Questions?@ShikariSenpai