Team we45
April 9, 2017

Technology is changing at a rapid pace and companies are always looking to adopt newer technologies that may be easy-to-use, more convenient for their customers and so on. However, these technologies are often implemented without considering security.

AngularJS is a front end component of the popular MEAN Stack (Applications created with MongoDB, ExpressJS, AngularJS and NodeJS). The main aim of using AngularJS is to simplify the representation, development and testing of applications. It provides a framework for client-side model–view–controller and model–view–view model architectures, along with components commonly used in rich Internet applications.

As per the JavaScript analytics service Libscore, AngularJS is used on the websites of Wolfram Alpha, NBC, Walgreens, ABC News, and approximately 12,000 other sites out of 1 million tested in October 2016.

One of our recent engagements was a penetration test of a global FinTech 100 firm, which is a premier financial technology provider. Their clients includesome of the leading Online Brokerage firms, two of the top U.S. banks and multiple financial institutions. Their application uses Angularjs framework extensively.

The application used a fairly newer version of AngularJS, version 1.5.7 was found to be vulnerable to Client Side template injection with a bypass payload. In this application, the entry point for the attack was a custom "name" parameter which was found to be vulnerable to Persistent XSS. Leveraging this vulnerability, an attacker is able to inject Client Side Code into the application’s parameters and perform multiple attacks, including Session Hijacking, Malicious Redirect and other attacks.

We went ahead and crafted a client-side script which forwards the cookie details of the victim to a listener which we had setup on our server. We were able to obtain complete access to a Super Administrator's account who had viewed the page containing the malicious script. We were able to perform and modify high value transactions from the super administrator's profile in the application.

How did we identify the Vulnerability?

We noticed that the HTML page contained 'ng-app' in the view source of the page. This means that templates are used in the application, which will be rendered by AngularJS.

Angular expressions are sandboxed to limit the exposure of the DOM and maintain a proper separation of application responsibilities. In order to perform a successful exploit we need to break out of the sandbox and execute arbitrary JavaScript.

Angular templates contain expressions inside double curly braces such as '{{5-1}}', which is a mathematical expression that would be evaluated and rendered as '4'.

To execute malicious JavaScript inside of the double curly brackets we need to escape the sandbox.

Bypassing the sand box in the early versions 1.0.1 - 1.1.5 was easy by using the following payload:{{constructor.constructor('alert(1)')()}}

The payload used in this application to initiate the attack was

:{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(document.cookie)');}}

In earlier versions until 1.1.5, it is also possible to perform XSS attacks by Bypassing the CSP, by injecting "ng-click="$event.view.alert(1)" as the payload. This is possible as "$event" exposes "window" through "view".

<h1 ng-click="$event.view.alert(1)">XSS!!</h1>

It is a known fact that most applications which use AngularJS, use the older versions. Multiple sites are still using the versions from 1.0.1 to 1.1.5. The migration to newer versions is often overlooked as it might be a laborious process; However, migration to newer version alone is not to be considered as an effective solution to mitigate expression injection.

The possible remediation for this vulnerability would be to avoid embedding user input dynamically into client-side templates. If that is not feasible, filtering of template expression syntax before embedding the input into client-side templates should be considered.

AngularJS expands the attack surface of an application significantly, hence developers need to know about the latest bypasses and build the necessary remediation in their applications.