Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

angularJS - Client-Side Template Injection

Kelley | Last updated: Apr 05, 2017 09:19PM UTC

Hello - I'm testing a web app that is using AngularJS v1.3.11. Burp has flagged multiple high risk client-side template injection issues with a confidence of firm. I'm trying to figure out if this is a false positive or something I need to report. Essentially, Burp is flagging that it is possible to inject arbitrary expressions into the client template. An example would be were users enter their email address. Burp then appends some characters and then it shows it in the template response where the email address value is the value the user enters plus the characters Burp inserted. I'm leaning towards this being a false positive since the template is just taking whatever the user inputs into this field and populates the value of the form, so I'm not sure what appending additional characters proves. Anyway to figure out if this is legit or not?

Burp User | Last updated: Apr 05, 2017 09:31PM UTC

Note: In regards to the email address, the application is doing client and server side validation to ensure the email address is in a valid format. The Burp injection was able to include characters there are not allowed.

Burp User | Last updated: Apr 05, 2017 10:01PM UTC

Upon further investigation, the inserted characters are not getting passed the server side validation. Basically, the application is echoing back "email is in invalid format" and populates the text box with the Burp entry.

Burp User | Last updated: Apr 05, 2017 10:40PM UTC

Update: Looks like these Burp findings were legit. I was able to get XSS to work by bypassing the sandbox using this example: https://finnwea.com/blog/stealing-passwords-from-mcdonalds-users

PortSwigger Agent | Last updated: Apr 06, 2017 07:57AM UTC

Glad you got an exploit working. XSS via AngularJS injection breaks all the normal rules!

Burp User | Last updated: Apr 07, 2017 03:51PM UTC

Hi Dafydd - Would you consider this two different issues in terms of vulnerabilities that the client should address? 1. Client-Side Template Injection 2. XSS via AngularJS Injection. Or would you just wrap this into one finding "XSS via AngularJS Injection"?

PortSwigger Agent | Last updated: Apr 07, 2017 08:19PM UTC

In terms of action by your client, it's most likely a single issue.

Burp User | Last updated: Apr 07, 2017 10:07PM UTC

Thanks!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.