Stealing Bearer Tokens with an Angular Expression Injection

Stealing Bearer Tokens with an Angular Expression Injection(codesploit.com)

10 points by ryhanson 10 years ago | 6 comments

mikelarned 10 years ago |

It looks like this is only possible when we are mixing server side / client side templates? Enter an expression into input, a user hard refreshes and the expression is rendered into our angular template. Are there any good approaches to always scrubbing expression input on the server side (or just avoid the client side / server side template mix?)

ryhanson 10 years ago | |

That is the most common occurrence of this issue. It can also happen with directives that use transclude or if the app is explicitly call Angular's $interpolate function on a user's input.

You should definitely avoid mixing server side and client side templates, but if that's too much work, scrubbing would work. You would need to strip the expression stand and end symbols. Default symbols are '{{' and '}}', but some apps use different symbols to avoid collisions with other template engines that use the double curly brace.

rpkelley 10 years ago |

I bet there are a lot more production angular apps out there than people think that have this vulnerability right now.

ryhanson 10 years ago | |

From the research I have done, this is a true statement. The reason being is people are adding Angular into their web apps that were initially built with an MVC framework of some sort.

The problem ends up being that they mix server side templates with client side templates. If user input is rendered in a server side template and ends up in an element that is part of the Angular scope, the expression will evaluate. So attaching an angular controller to your body tag and then including server side templates within the body, is bad...

bossmojoman 10 years ago |

Crazy, now to go double check all my angular code

lorenmorris 10 years ago |

This is a legitimate comment.