Hacking fun!

Angular Template Injection without Quote Characters

Introduction

When you’re trying to detect XSS in an Angular application (AngularJS or Angular >2, the version doesn’t matter for this post), you’ll probably try the following possibilities:

  • You enter a basic XSS payload such as <script>alert(0);</script>
  • You find out that the developer encoded the output properly and the < > characters turn into &lt; and &gt; 
  • Your next attempt will be a client-side template injection: {{1338-1}}
  • The application displays 1337
  • From here on, it will be straight-forward: you’ll find a payload that matches the Angular version of the app and pop that alert to get a Proof of Concept.

However, in some cases, the output sanitation applies not only to characters like > and < but also encodes single and double quote characters ( ‘ will turn into &apos;, etc.)

This means that if you try to insert a payload that has quotes in it, for example:

{{constructor.constructor('alert(0)')()}}

It will turn into

{{constructor.constructor(&apos;alert(0)&apos;)()}}

At this point, your expression will trigger a syntax error and the payload will fail. 

So, what can we do about it?

When trying to avoid quotes in a payload (because it contains strings) the easiest way is to use functions that generates strings. In JavaScript, we will need to use the String object, specifically, the String.fromCharCode() method

The issue in this case (Angular applications) is that we cannot just call String.fromCharCode()in an Angular expression:

{{constructor.constructor(String.formCharCode(...))()}}

It will not work because Angular limits us to only using the properties and variables that are accessible under Angular’s scope. (More about the scope here: https://github.com/angular/angular.js/wiki/Understanding-Scopes). If Angular wasn’t stopping us from accessing objects outside the scope, we wouldn’t need to access the Stringobject. As attacker, we could just inject {{window.alert(0)}}

So what do we do when we don’t have access to the Stringobject but we still need to call fromCharCode() to generate our “alert(0)” string?

We can use this payload:

{{constructor.constructor(valueOf.name.constructor.fromCharCode(...))()}}

Let’s break it down

  • We used valueOf.name because it returns a string value. Right now, it doesn’t matter what string is returned. As long as it’s a string variable – we’re good to go. In the same way, we could use any of the following possibilities as they all generate strings:
  • Now that we have a string variable in our payload, let’s look at its constructor:
  • The constructor itself is a String object! Now, all we have to do is to add a dot character and access all of the available functions in the String object including fromCharCode

By getting to the String object in this indirect way, even though the object itself isn’t in Angular’s scope, we can create an Angular, Client-Side Template Injection payload without needing single or double quotes

And here’s our alert 🙂 without quotes.

Acknowledgements

Big shout-out goes to the folks from PortSwigger and Tomer Haddad


A Taxonomy on Brute Force Attacks

Brute force attack is a well-known technique of trial and error attempts used by attackers to gain access to unauthorized data. It can be leveraged against servers as an online attack and also against files as a local attack.

The common denominator of all these types is that the same pattern is almost always the same:

In most cases the attacker would have to know two major keys from the diagram – let’s take for example a common scenario where the attacker tries a brute-force attack on the login interface of an applicaiton in order to find the correct credentials of a certain account. The known keys would be:

  1. Something I know – In this case, the username of the account that the attacker wants to hijack.
  2. The result – On each attempt, the attacker receives an indicator of failed/successful result.

The well-known brute-force methods are:

Read more

Secure Development Lifecycle for Open Source Usage

Preface How do we adjust the SDL (Security Development Lifecycle) process for the growing use of open source in internal/external systems we develop and maintain? This is a question I hear a lot lately from our customers in some recent SDL projects we (AppSec Labs) carried out for our customers. After we did some research, […]

Hacking Android Apps Through Exposed Components

In almost every Android application, developers expose activities without sufficient protections. Exposing activities can lead to various attacks. For example, an attacker or a malicious app installed on the same device, can call those exposed activities to invoke internal pages of the application. Calling internal pages puts the application at risk of phishing by manipulating […]

XXE Attacking Guide

Many different client technologies such as web, mobile, cloud and more – send messages to business applications using XML. In order for the application to work with these self-descriptive XML messages, it has to parse them and check that the format is correct.

This article will describe XML External Entity (XXE) injection attack and its basics in order to provide you with a better understanding of the attack and how to deal with it.

Since we will be talking about XXE injection, first we should understand the meaning of external entities and what they allow us to achieve.

External entities refer to data that an XML processor has to parse. They are useful for creating a common reference that can be shared between multiple documents. Any changes that are made to external entities are automatically updated in the documents which contain references to them. Meaning, XML uses external entities to fetch information or “content” – into the body of the XML document.

Read more

Embedded Ajax Brute-Force Tool

There are a few cases when preparing a PoC for brute-force attack on the login page can be complicated. It is no longer uncommon to find a login form based on web sockets, or which implements some sort of client-side encryption with JavaScript. In these cases, configuring a brute-attack quickly with a middle proxy (e.g. Burp’s Intruder) is not possible. It also happens that clients request for the penetration testings to be conducted on a specific machine, without access to common attacking tools.

For these reasons, I wrote a very minimalistic brute-force tool that runs inside the browser (the source code, following this post, has to be copy-pasted into browser’s JavaScript console).

Read more

Case study – Open Redirect

Most of us are familiar with the ‘Open Redirect’ vulnerability; an OWASP top 10 vulnerability that takes advantage of a situation in which the application receives a parameter from the client and uses it to build the URL location to which the user is redirected, without performing sufficient validation on the received input.

Typically, attackers can exploit vulnerable applications in order to perform phishing attacks, redirecting the victims to phishing sites that look exactly (or partially) like the vulnerable application. The victims tend to believe they are still in the original website, and provide their credentials in order to perform the required login. Unfortunately, these credentials are sent directly to the attacker.

A Classic Open Redirect Scenario

The following image demonstrates a vulnerable website (victim-site.com), which is vulnerable to the common open redirect scenario; a login page that will redirect the user to the page specified in the ‘returnURL’ parameter after successful login (the rectangle outlines the URL of the index page):

Read more

How to edit Char Sequence objects in net beans

In Net beans 8, during debugging (in my case, smali debugging), you cannot change char sequence variables, they are shown as read-only strings. An example of usage is Android text-elements (EditText) whose value is stored in Obj.mText.mText in a char sequence. The following screenshot, shows a Tree view, but you cannot change the field in table view either.

netbeans1
So, I tried do the same with Net beans 6.8 and I found that it let me edit char-sequence variables. After some research I figured out that in order to enable editing of those variables I need to disable the auto formatting. You do this in tools menu -> options and remove the V of Default Char sequence formatter:

Read more

Negative Subtracting – Bypass the Protection

Introduction to negative subtracting
We all know about the negative subtracting issue. For example, if I transfer money to you, it is reduced from my account and added to your account. The code looks something like:

Myaccount.value = myaccount.value – transfer.amount
Youraccount.value = youraccount.value + transfer.amount

Now, what happens if I transfer a negative value to your account? We know that subtracting two negatives give a positive, so if I transfer minus one hundred to you, my account will increase by one hundred and your account will be reduced by one hundred.

Another example is an online roulette game. The house always wins eventually, because the chances are against the player. But we can turn it simply by betting a negative value. Now, each time we lose, we lose a negative value which means that we actually win…

Up until here it is clear and simple and I hope that everyone knows it.

 

Example of (in)secure code
I recently came across a code that looked secure at first impression, but only upon second glance I understood that it is not secure at all. Let me start by showing you the code (C language), I modified it to become like a hacme game…:
 
Read more