CSTI for Dummies

Transcript

1. CSTI Another way to XSS For WebVillage A talk by

   Egor Karbutov @ShikariSenpai

2. • @ShikariSenpai • Penetration tester @ Digital Security • Speaker

   • Bug Hunter $ Whoami


3. • CSTI • AngularJS • Sandbox bypass • Sanitizer problems

   • CSP Agenda

4. CSTI • CSTI = Client-Side Template Injection • Summon when

   SSTI not working or not • Typical of a JavaScript MVC frameworks and templating libraries • Looks like • {{1+1}} = {{2}}

5. MVC Frameworks • VueJS • AngularJS • CanJS • Underscore.js

   • KnockoutJS • Ember.js • Polymer • Ractive.js • jQuery • JsRender • Kendo UI • More information on mustache-security • https://code.google.com/archive/p/mustache-security/
6. None

7. • Popular JavaScript MVC/MVW • Superheroic Framework! (c) Goolge •

   Maintained by Google • For client-side-heavy single page applications • A large community and a huge number of commits • Have API for DOM manipulation • Not a classical application implementation scheme • Static-static What is AngularJS?

8. • High security standard • Have HTML Sanitizer by default

   • Support CSP • If the rules are being followed • Use the latest AngularJS possible (or Angular 2.0) AngularJS Security Philosophy https://docs.angularjs.org/guide/security

9. • AngularJS Sandbox is not a security features • To

   prevent access to global JS properties • «Don’t use DOM, use our API». DOM full of crap • But developers rely on Sandbox • We have so many bypass for AngularJS Sandbox AngularJS Sandbox

10. • Search Angular script src • Search «ng-app» How to

    detect AngularJS • https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf

11. • Dynamic template generation • Easy fuzz, easy life •

    {{11*11}} = {{121}} • You can’t detect CSTI with Burp Repeater • Why? It’s client side dude! • You need a browser • Check version and test-test-test expressions How to detect CSTI

12. • Don’t have XSS! First example

13. • Yep, it’s XSS! First example

14. • Everything inside {{ and }} is treated as AngularJS

    expression • We have object scope • {{username}} = scope.username • {{alert(1)}} scope doesn’t have alert object • But every scope object in JS has constructor • And constructor.constructor = eval(); First bypass

15. • {{constructor.constructor(‘alert(1);)()}} • Working 1.0, fixed 1.2.0 First Bypass

16. More difficult • https://www.youtube.com/watch?v=U4e0Remq1WQ

17. And more • https://www.youtube.com/watch?v=U4e0Remq1WQ

18. And more • https://www.youtube.com/watch?v=U4e0Remq1WQ

19. Go away sandbox! • Payload for 1.6 = {{constructor.constructor(‘alert(1);)()}} •

    The aim was to provide feedback to the developer to prevent them from inadvertently designing applications that would be difficult to test and maintain. Not for security! • Control expressions like classic XSS • Use static template!

20. Go away sandbox!

21. Payload without quote • http://blog.portswigger.net/2016/04/adapting-angularjs-payloads-to-exploit.html

22. HTML Sanitizer • By default sanitize user input • no

    characters for classic XSS like >< • But developer can make a mistake, if he want inject html + user input

23. HTML Sanitizer • https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf

24. HTML Sanitizer • https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf

25. HTML Sanitizer • Bad functions • UserInput • Element.html •

    trustAsHtml • escapeForHtml • Good functions • ngBindHtml with ngSanitize • https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf

26. Check CSP

27. Conclusion • Sandbox isn’t security feature • All sandbox versions

    are bypassed • Many sites have old version Angular JS • Many sites have dynamic template generations • HTML sanitizer isn’t panacea • CSP is hard

28. • Securing AngularJS Applications • https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf • An Abusive Relationship

    with AngularJS v2 • https://www.youtube.com/watch?v=U4e0Remq1WQ • XSS without HTML: Client-Side Template Injection with AngularJS • http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html • Developer guide. Security • https://docs.angularjs.org/guide/security • Adapting AngularJS Payloads to Exploit Real World Applications • http://blog.portswigger.net/2016/04/adapting-angularjs-payloads-to-exploit.html • Test your payloads • http://liveoverflow.com/angularjs/ Useful links

29. Questions? @ShikariSenpai