JavaScript framework Open source Model-View-Controller architecture Helps to extend the HTML vocabulary for your application and used in Single Page Application (SPA) projects Manual way: Check for the directive named ‘ng-app’ in the HTML page in view source of the page. By using plugins : Use chrome plugins such as ng-inspector, ng-inspect, AngularJS inspector.

1. AngularJS Vulnerability Assessment on Web
Author : Aniket Burande
June,2017

2. www.valencynetworks.com
What is AngularJS?
• JavaScript framework
• Open source
• Model-View-Controller architecture
• Helps to extend the HTML vocabulary for your application and
used in Single Page Application (SPA) projects

3. www.valencynetworks.com
How to identify AngularJS page?
Manual way: Check for the directive named ‘ng-app’ in the HTML
page in view source of the page.
By using plugins : Use chrome plugins such as ng-inspector, ng-
inspect, AngularJS inspector.

4. www.valencynetworks.com
Manual way

5. www.valencynetworks.com
By using plugins

6. www.valencynetworks.com
How to check for vulnerabilities on an Angular page?
Step 1 : We first find any input field on the web page that is associated
with the GET method.
Step 2 : If you find any such input field try assessing it by passing
expressions and check whether it gets evaluated or not as follows

7. www.valencynetworks.com
In this case, binding occurs in the code and {{this}} gets associated to
$SCOPE parameter which indicates that anything in an expression can get
evaluated. Similarly we can try passing following expressions :

8. 8

9. 9
What are the different vulnerabilities found and
their types?
XSS : The payload used here was {{x =
{'y':''.constructor.prototype};
x['y'].charAt=[].join;$eval('x=alert(1)');}}

10. 10
Remote Code Execution (RCE) : Here, if the GET
method/parameter is assigned to any input field, it can be exploited
using server side template injection or metasploit framework. A recent
example of remote code execution on uber.com can be found out on
the following link https://hackerone.com/reports/125980
Broken authentication and session management : This is one of
the OWASP Top 10 vulnerabilities i.e. In this case, $scope exposes
the session objects that could be exploited. This can be checked in
the dev console by searching for angular.element(‘html’).scope()
which returns the scope object for that particular element.

11. 11
Usage of objects such as toString(), Constructor(), Prototype(),
CharAt() : These functions can be overridden/manipulated and a call to
malicious code to escape the sandbox by making AngularJS execute
traditional java script.

12. 12
Dynamic generation of templates or expressions from user
provided content : If user provided content is passed through the
functions such as $eval,$watch,$apply then the web applciation is
at the risk of XSS attacks.

13. www.valencynetworks.com
An ISO27001 Certified Company
http://www.valencynetworks.com
sales@valencynetworks.com
Facebook Twitter Linkedin