Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

False Negative in AngularJS XSS?

NIcolas Grégoire Apr 17, 2019 04:00PM UTC

Hello,

I've a vulnerable Web application where injection inside an AngularJS 1.0.0 context is possible. That leads to a XSS via {{...}}, that is easily exploitable.

I know that, at some point, Burp Suite managed to detect this vulnerability (I even have screenshots!). However, I tried today with v2beta20 and v1.7.37, and I didn't manage to find this bug through an Active Scan.

I triple-checked my setup and everything looks OK. So I wonder if that's a regression...

Cheers,
Nico


NIcolas Grégoire Apr 17, 2019 04:19PM UTC
Now tested with v1.6.36 (afaik the first version including this check), v1.7.37 and v2.beta20. None of them found the bug. I think that the problem is on my side. I'll keep you posted!

Liam Tai-Hogan Apr 18, 2019 09:28AM UTC Support Center agent

Thanks for keeping us updated Nicolas. Please let us know if you need any further assistance.


NIcolas Grégoire Apr 30, 2019 04:57PM UTC
I gave a training last week (using v1.7.37), and no trainees managed to identify this bug via an ActiveScan (me neither). And I'm sure the bug is there (we exploited it). So I'm back at considering this behavior as a Burp Suite regression...

I'll look into putting online a minimalist repro.

NIcolas Grégoire Apr 30, 2019 05:26PM UTC
Public testbed: http://www.hackgarri.pw/Hoeng5ei/?lang=aabb

v1.7.37 + ActiveScan + Scan speed = Thorough + Scan accuracy = Minimize FP + "Use intelligent attack selection" disabled => no findings

v1.7.37 + default scanning options + Intruder's "Actively scan defined insertion points" on the value of parameter 'lang' => no findings

However, I see in Logger++ that one of the vector contains the proper test (which could also be used for SSTI): lang=n18gk%7b%7b818*716%7d%7dnkep

Rose Krawczuk May 01, 2019 10:22AM UTC Support Center agent

Thanks for the info, Nicolas. We’ll investigate this issue and get back to you when we’ve made some progress.


Post Your public answer

Your name
Your email address
Answer