Angular Expression Injection Vulnerability Challenge
Over the past few years, I've written a lot of Angular. Its been quite the learning experience. It started out messy as hell, got better, got smelly, then got better again, but still isn't perfect. I started out just trying to wrap my head around it and make shit work, like most people. This doesn't always end well...
Recently I found in some of the old apps I built I made some major mistakes. One of the main mistakes being: mixing dynamic server side views with angular views. This can end up giving users the ability to inject Angular expressions into your dynamic server side views. These views can then end up in the scope of your angular application and the expressions will execute.
Troy Hunt does a great job of explaining Angular pitfalls in this post and also in his AngularJS Security Fundamentals course on Pluralsight. I suggest you check those out.
If you feel like you can exploit an Angular expression injection, head over to the little vulnerable app I've setup for you below.
- Website: Restangular Todo App
- Synopsis: This shared todo list is habitually checked by Bob, every 60 seconds.
- Goal: Inject an Angular Expression that will capture Bob's
Authorization: Bearer {token}
header when he checks the site.
Bob really does visit and browse the site. He's an automated script, but it truly renders the application including all the angular code. This isn't a simulated exercise that looks for a magic string, this is a real vulnerability.
Once you've captured the flag auth header, DM it to me on Twitter, then clear out the Todo list so you don't spoil it for anyone else. If you have any issues or think the Bob Bot is down, let me know. If for some reason a bunch of people try to work on this at the same time, I may put together a CTF style VM to be used locally. But for now, lets just be gentlemen EDIT: I've added sessions so there will no longer be any spoiling or collisions!
Have fun!
In a week or so, I will do a write up on how I exploited this. EDIT: The write up is done!
UPDATE: I added some hints over in the comments on the Reddit Post, but I figured I'd post them here as well:
- Chrome Developer Tools is your friend
a. Use the dev tools console to dump an angular object and its scope. This will help you construct the expression to inject. - Remember, Angular can be configured to use different symbols to start and end expressions (This is to avoid template engine collision).
- No sandbox escape is needed.