Burp community forum

False Negative in AngularJS XSS?

Nicolas | Last updated: Apr 17, 2019 04:00PM UTC

Hello, I've a vulnerable Web application where injection inside an AngularJS 1.0.0 context is possible. That leads to a XSS via {{...}}, that is easily exploitable. I know that, at some point, Burp Suite managed to detect this vulnerability (I even have screenshots!). However, I tried today with v2beta20 and v1.7.37, and I didn't manage to find this bug through an Active Scan. I triple-checked my setup and everything looks OK. So I wonder if that's a regression... Cheers, Nico

Liam, PortSwigger Agent | Last updated: Apr 17, 2019 04:01PM UTC

Thanks for keeping us updated Nicolas. Please let us know if you need any further assistance.

Burp User | Last updated: Apr 17, 2019 04:19PM UTC

Now tested with v1.6.36 (afaik the first version including this check), v1.7.37 and v2.beta20. None of them found the bug. I think that the problem is on my side. I'll keep you posted!

Burp User | Last updated: Apr 30, 2019 04:57PM UTC

I gave a training last week (using v1.7.37), and no trainees managed to identify this bug via an ActiveScan (me neither). And I'm sure the bug is there (we exploited it). So I'm back at considering this behavior as a Burp Suite regression... I'll look into putting online a minimalist repro.

Burp User | Last updated: Apr 30, 2019 05:26PM UTC

Public testbed: http://www.hackgarri.pw/Hoeng5ei/?lang=aabb v1.7.37 + ActiveScan + Scan speed = Thorough + Scan accuracy = Minimize FP + "Use intelligent attack selection" disabled => no findings v1.7.37 + default scanning options + Intruder's "Actively scan defined insertion points" on the value of parameter 'lang' => no findings However, I see in Logger++ that one of the vector contains the proper test (which could also be used for SSTI): lang=n18gk%7b%7b818*716%7d%7dnkep

Rose, PortSwigger Agent | Last updated: May 01, 2019 10:21AM UTC

Thanks for the info, Nicolas. We'll investigate this issue and get back to you when we've made some progress.

Hannah, PortSwigger Agent | Last updated: May 01, 2019 10:52AM UTC

Hi Nicolas We're glad to hear you've discovered the root cause of the issue. Could you confirm that you are seeing this behavior in version 2.1.07?

Burp User | Last updated: Jan 17, 2020 12:01PM UTC

Hi! I finally solved this mystery: Burp Suite will not detect client-side template injections (aka a false-negative) when the 'ng-app' attribute is located _before_ the tags loading AngularJS Javascript files. In the following situation ('ng'-app' is in 'body'), the bug is detected: <html> <head> <script src="/js/angular-1.0.0.min.js"></script> <script src="/js/search.js"></script> <body ng-app> <div ng-controller="SearchCtrl"> HERE IS THE INJECTION POINT </div> </body> </html> Here (only difference: 'ng'-app' is in 'html'), the bug is NOT detected: <html ng-app> <head> <script src="/js/angular-1.0.0.min.js"></script> <script src="/js/search.js"></script> <body> <div ng-controller="SearchCtrl"> HERE IS THE INJECTION POINT </div> </body> </html> Dixit AngularJS documentation (confirmed by my tests), both locations are valid: https://docs.angularjs.org/api/ng/directive/ngApp

Hannah, PortSwigger Agent | Last updated: Jan 20, 2020 01:44PM UTC

Could you provide me with the search.js file you used and your scan configuration (if it isn't the default) so I can replicate this issue?

Burp User | Last updated: Jan 21, 2020 10:01AM UTC

Yes, absolutely: testing was done under Burp Suite Pro v.2.1.07. Note: it seems that this check never worked in this specific scenario (i.e. it's NOT a regression)

You need to Log in to post a reply. Or register here, for free.