Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

angularJS - Client-Side Template Injection

Kelley Bryant Apr 05, 2017 09:19PM UTC

Hello - I'm testing a web app that is using AngularJS v1.3.11. Burp has flagged multiple high risk client-side template injection issues with a confidence of firm. I'm trying to figure out if this is a false positive or something I need to report. Essentially, Burp is flagging that it is possible to inject arbitrary expressions into the client template. An example would be were users enter their email address. Burp then appends some characters and then it shows it in the template response where the email address value is the value the user enters plus the characters Burp inserted. I'm leaning towards this being a false positive since the template is just taking whatever the user inputs into this field and populates the value of the form, so I'm not sure what appending additional characters proves. Anyway to figure out if this is legit or not?

Kelley Bryant Apr 05, 2017 09:31PM UTC
Note: In regards to the email address, the application is doing client and server side validation to ensure the email address is in a valid format. The Burp injection was able to include characters there are not allowed.

Kelley Bryant Apr 05, 2017 10:01PM UTC
Upon further investigation, the inserted characters are not getting passed the server side validation. Basically, the application is echoing back "email is in invalid format" and populates the text box with the Burp entry.

Kelley Bryant Apr 05, 2017 10:40PM UTC
Update: Looks like these Burp findings were legit. I was able to get XSS to work by bypassing the sandbox using this example:

Dafydd Stuttard Apr 06, 2017 08:44AM UTC Support Center agent

Glad you got an exploit working. XSS via AngularJS injection breaks all the normal rules!

Kelley Bryant Apr 07, 2017 03:51PM UTC
Hi Dafydd - Would you consider this two different issues in terms of vulnerabilities that the client should address? 1. Client-Side Template Injection 2. XSS via AngularJS Injection. Or would you just wrap this into one finding "XSS via AngularJS Injection"?

Dafydd Stuttard Apr 07, 2017 08:19PM UTC Support Center agent

In terms of action by your client, it’s most likely a single issue.

Kelley Bryant Apr 07, 2017 10:07PM UTC

Post Your public answer

Your name
Your email address