CSTI for Dummies

20a280fca034a72b4918a2b824b34033?s=47 E K
November 23, 2017

CSTI for Dummies

Introduction to CSTI vulnerability:
- Basics (for AngularJS)
- Search methods
- Sandbox bypass
- HTML Sanitizer problem
- CSP is hard
Slides have many-many references to other hard talks!
ZeroNights, WebVillage

20a280fca034a72b4918a2b824b34033?s=128

E K

November 23, 2017
Tweet

Transcript

  1. CSTI Another way to XSS For WebVillage A talk by

    Egor Karbutov @ShikariSenpai
  2. • @ShikariSenpai • Penetration tester @ Digital Security • Speaker

    • Bug Hunter $ Whoami

  3. • CSTI • AngularJS • Sandbox bypass • Sanitizer problems

    • CSP Agenda
  4. CSTI • CSTI = Client-Side Template Injection • Summon when

    SSTI not working or not • Typical of a JavaScript MVC frameworks and templating libraries • Looks like • {{1+1}} = {{2}}
  5. MVC Frameworks • VueJS • AngularJS • CanJS • Underscore.js

    • KnockoutJS • Ember.js • Polymer • Ractive.js • jQuery • JsRender • Kendo UI • More information on mustache-security • https://code.google.com/archive/p/mustache-security/
  6. None
  7. • Popular JavaScript MVC/MVW • Superheroic Framework! (c) Goolge •

    Maintained by Google • For client-side-heavy single page applications • A large community and a huge number of commits • Have API for DOM manipulation • Not a classical application implementation scheme • Static-static What is AngularJS?
  8. • High security standard • Have HTML Sanitizer by default

    • Support CSP • If the rules are being followed • Use the latest AngularJS possible (or Angular 2.0) AngularJS Security Philosophy https://docs.angularjs.org/guide/security
  9. • AngularJS Sandbox is not a security features • To

    prevent access to global JS properties • «Don’t use DOM, use our API». DOM full of crap • But developers rely on Sandbox • We have so many bypass for AngularJS Sandbox AngularJS Sandbox
  10. • Search Angular script src • Search «ng-app» How to

    detect AngularJS • https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf
  11. • Dynamic template generation • Easy fuzz, easy life •

    {{11*11}} = {{121}} • You can’t detect CSTI with Burp Repeater • Why? It’s client side dude! • You need a browser • Check version and test-test-test expressions How to detect CSTI
  12. • Don’t have XSS! First example

  13. • Yep, it’s XSS! First example

  14. • Everything inside {{ and }} is treated as AngularJS

    expression • We have object scope • {{username}} = scope.username • {{alert(1)}} scope doesn’t have alert object • But every scope object in JS has constructor • And constructor.constructor = eval(); First bypass
  15. • {{constructor.constructor(‘alert(1);)()}} • Working 1.0, fixed 1.2.0 First Bypass

  16. More difficult • https://www.youtube.com/watch?v=U4e0Remq1WQ

  17. And more • https://www.youtube.com/watch?v=U4e0Remq1WQ

  18. And more • https://www.youtube.com/watch?v=U4e0Remq1WQ

  19. Go away sandbox! • Payload for 1.6 = {{constructor.constructor(‘alert(1);)()}} •

    The aim was to provide feedback to the developer to prevent them from inadvertently designing applications that would be difficult to test and maintain. Not for security! • Control expressions like classic XSS • Use static template!
  20. Go away sandbox!

  21. Payload without quote • http://blog.portswigger.net/2016/04/adapting-angularjs-payloads-to-exploit.html

  22. HTML Sanitizer • By default sanitize user input • no

    characters for classic XSS like >< • But developer can make a mistake, if he want inject html + user input
  23. HTML Sanitizer • https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf

  24. HTML Sanitizer • https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf

  25. HTML Sanitizer • Bad functions • UserInput • Element.html •

    trustAsHtml • escapeForHtml • Good functions • ngBindHtml with ngSanitize • https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf
  26. Check CSP

  27. Conclusion • Sandbox isn’t security feature • All sandbox versions

    are bypassed • Many sites have old version Angular JS • Many sites have dynamic template generations • HTML sanitizer isn’t panacea • CSP is hard
  28. • Securing AngularJS Applications • https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf • An Abusive Relationship

    with AngularJS v2 • https://www.youtube.com/watch?v=U4e0Remq1WQ • XSS without HTML: Client-Side Template Injection with AngularJS • http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html • Developer guide. Security • https://docs.angularjs.org/guide/security • Adapting AngularJS Payloads to Exploit Real World Applications • http://blog.portswigger.net/2016/04/adapting-angularjs-payloads-to-exploit.html • Test your payloads • http://liveoverflow.com/angularjs/ Useful links
  29. Questions? @ShikariSenpai