what's up guys we're going to be running a Dom based cross-site scripting attack we're going to be exploiting a vulnerability in the way that some angularjs code has been written now just some basic information what is angularjs it's a JavaScript framework it's deprecated or unsupported since 2022 and is being replaced by angular which is also a JavaScript framework but it actually makes use of typescript so it's really a typescript framework now we're going to get to the solution fairly quickly but it's important to understand that the solution is really just the beginning in this particular lab there's no point having the solution if we don't understand why the solution is working at the time of creating this video there is no decent explanation online as to why this particular exploit Works we're going to be doing a bit of a deep dive into this particular vulnerability so let's start with the vulnerability itself The Cliffs are as follows JavaScript Frameworks often evaluate content contained within these curly brackets and we can often check for injection vulnerabilities just by providing a very simple JavaScript expression for example let's put one plus one in between these curly brackets now if the blog is handling input correctly we should really just see these curly brackets and one plus one echoed to the page but if we click search we'll see that we actually get zero search results for two as if two was our input search string but it wasn't we can see that those curly brackets have been evaluated and the resultant value of the JavaScript expression has been returned which is to the value of one plus one now although we can execute JavaScript Expressions there are some safeguards in terms of executing JavaScript functions so unfortunately we can't just do something like put a JavaScript alert function within these curly brackets if we search for that you can see that's obviously been stripped from the page there are clearly some security protocols in place so I'm going to give you a payload which is going to solve the lab then we're going to have to try and figure out why exactly this is working so the payload it's going to make use of these curly brackets we are going to use a dollar sign eval dot Constructor in Brackets we're going to pass the JavaScript alert function as a string so we're going to use single quotes here alert and then we actually need to call this function so we need another set of brackets to indicate that the result of this expression which is going to be a function is then going to be called don't worry too much if it doesn't make sense at this stage let's just run this payload and you can see we're getting alert box to the screen now there are quite a number of solutions to this lab online and in most cases it's just someone pasting this particular payload into the search box so I just want to emphasize that this is not hacking copying and pasting a payload is not hacking the payload in this instance is the easy part of the lab the purpose of this lab is to understand what the exploit is and why exactly the exploits working on another related note sometimes web developers have the luxury of assigning themselves as developers of a specific framework so you'll sometimes hear developers say things like I'm a react developer or I'm an angularjs developer security researchers don't have that luxury we need to be familiar with all of the available Frameworks at least to some level and in some cases we need to be aware of certain features of a framework that even the developers are not aware of because we're approaching this from a different angle we're looking to find security vulnerabilities not to just understand how the framework works for development purposes so to fully understand the solution we need a better understanding of how angularjs works we also need a little bit of a deeper dive on how certain features of JavaScript work in order to understand this payload so the best way to actually understand these Concepts is to build a very basic angularjs document so just going to be a HTML document and we're going to have some head tags and inside the head tags we are going to paste the CDN so content delivery for angularjs sorry also just had to change the theme there that card scheme wasn't doing it for me this is the abyss theme in Visual Studio code so we'll create a body section and this is going to be where the actual angular app itself is going to exist and we make use of what's known as an angular directive and you'll recognize these because they always start with NG hyphen so we want NG app equals and we'll give this a name so we're going to call it my app and angular apps also make use of a controller and we can specify the name of the controller with ng-controller equals and we'll just call it my control for simplicity's sake so next step is to actually initialize our app so we're going to say VAR app equals angular so this is what's been imported by that CDN angular.module we pass the name of the app and then we're going to pass an empty array and now we can start building our controllers we'll say app.controller we'll again pass the name which is my control in this case and then we need to pass a function and we need to pass a scope variable as a parameter here and the idea here is we can now specify values in scope so we can do something like scope DOT first name equals Adam and then within the angular app itself we can actually reference the variables that are in scope directly before we do that though let's just include script tags here because this is actually JavaScript so I'll have script and we'll just move that in script tag to after the code and then we're going to pass in the variable that has been defined in scope which is first name also just as a quick example as well just to mirror what we attempted on the lab we can also pass in other valid JavaScript Expressions such as one plus one obviously this doesn't care about the scope since one plus one equals two regardless of the situation so now if we head into our directory let's just fire that up in Firefox so we're first of all expecting to see our variable referenced from scope which is Adam and we also see the result of that JavaScript expression too now if we add some additional brackets and let's just pass in our payload so it's a val.constructor pass in the alert function inside a string and then we call that function so let's save that let's refresh our Firefox page so at this stage we've essentially reproduced this cross-site scripting attack in our own lab which we can experiment with so the key takeaways so far is that we have access to certain properties that are defined within the scope within the controller and we have some user-defined properties in scope but we also have a bunch of other properties objects and functions which are in scope of this angular app and one example of an in-scope function is dollar eval now if you're wondering about the dollar sign it doesn't really have any meaning it's just a convention JavaScript Frameworks often like to prefix some of their methods with this dollar sign just to indicate that it's part of the framework and it's not something that's been defined by the user so it helps to keep that namespace clean there's going to be no conflicts because the framework always is prefacing its methods with this dollar sign so it doesn't have any special meaning by itself now how do we know which properties and methods are available on the angular app that we have access to it would be nice to be able to access this scope from within the JavaScript console on the web browser and there's a way of doing that so a little trick here I'm just going to create an empty paragraph and I'm going to assign it an ID of test so we are back in our browser and we fired up the dev console so I'm going to Target that paragraph with the ID of test and get its scope so the way we do this is angular dot element and we're actually going to pass some vanilla JavaScript there is a way of doing this with angular I prefer doing it this way however so document dot get Elements by ID and we simply need to pass the ID of the element which is test we can then call Dot scope on the element that's returned there and this is essentially our scope we have access to this particular object now just to make things a little bit easier we can say let's scope and just assign this fairly large piece of JavaScript to Let's scope so now we can just access it through the scope variable and let's expand that object let's see what's available and we see a range of objects and properties available in the scope but also we need to check out this prototype so these are essentially not properties and methods that belong to the object itself initially but they've been inherited from a parent this is why we said we have to understand a little bit about how JavaScript works and one of the important Concepts here is inheritance so anytime we create an object in JavaScript it inherits some default properties methods from the Prototype just as an example of this when we create something like an array in JavaScript and by the way JavaScript is not considered a primitive but it's actually a type of object and you're probably familiar with the idea that when we create an array we have access to available methods on that array which we didn't Define ourselves for example we have access to something like dot for each well we didn't Define that on the array it was just automatically there as part of the array so where did that come from it came from the Prototype now in this case with the array the Prototype is something that's embedded into the JavaScript language so every time we create an array it automatically comes with these inherited methods so it's the same concept here when we click on a prototype but these are not necessarily properties that are inherent to JavaScript they've actually come from higher up within the angular app in fact what we need to do in this case since we are operating from within side a controller rather than the default angular scope we need to first of all go to parent and then go to prototype on the parent and now we see various methods notice that all prefixed with the dollar sign that are exposed to us and are technically within the scope of those angle brackets that we're using in the HTML document notice we have dollar eval now you might be wondering what's special about dollar eval and the answer is nothing the main characteristic we're looking for here is simply that it's a function now if you have a look at the lab guidelines and the lab Solution on the burp Suite Academy lab you'll see that they don't use a vowel they actually use Dollar on and in fact we could presumably use any of the available functions here to launch this cross-site scripting attack so why does any function work what is the idea behind this particular attack and again we need to go back to some basic understanding of JavaScript and I say basic but it's possible that a lot of JavaScript developers don't know this when I say basic I mean it's a core fundamental feature of how the language works but it's almost like it's low level enough that it's not usually touched by the average JavaScript developer so for now I'm going to get rid of this payload just so we don't have an alert popping up to the page each time and we're actually going to run some vanilla JavaScript now we are very likely familiar with the idea regardless of whether we write JavaScript or not we're probably familiar with the idea that we can code a function in a programming language and the way that's usually done in something like JavaScript like the default vanilla way of doing this is we say something like function we give it a name we can call it test for example and then we provide what that function does inside those scope brackets or those curly brackets so we can say console log which needs to be a regular bracket for the function we can say hello world and this won't do anything yet this just defines the function so if we refresh the page nothing's going to happen but we have created a function it's just not being executed so if we want this to execute the next thing we do is we actually execute the function we type the name of the function and then we put those function Scopes the regular brackets to indicate that we want to call this function right now so if we head back to Firefox let's refresh the page we now see in the console hello world echoed to the console this is one of the first things that you learn in any programming language really especially JavaScript how to write a function what you may not know is there is actually also a function Constructor function it's basically a function for creating functions and this is not generally used and the reasons why might be explained very well by the mdn documents here it says calling the Constructor directly can create functions dynamically we'll get to that shortly but suffers from security and similar performance issues as eval so in other words when translated it's saying you can do this it's a feature of JavaScript but it's not recommended it's not the correct way of creating functions having said that it works so to head back to our JavaScript let's apply that logic and we can create a function using the function Constructor so we can say function and the way it works is we pass the actual function as a parameter inside a string so if we do alert here inside the function we've actually created a function now at this stage it's an anonymous function but we can give it a name so let's call it test let test equals and then we've used the function Constructor we've passed the code of that function inside a string we've called it test and then we're calling the test function now if we head back to the page and we refresh the page you can see we get the alert popped up to the page and just so it's the same as the other example let's see if we can console log hello world so we'll do console log obviously we need to make use of double quotes because we're inside a single quoted string so hello worlds let's refresh the page now we get Hello World Echo to the console so we've reproduced the original code but this time we're making use of the function Constructor which is not recommended according to the mdn dots but the point is that it works now we gave it a name because without a name it was an anonymous function so if we just declare the function like this and refresh the page nothing's going to happen because it's equivalent of declaring a function but not calling it remember what the dog said though calling the Constructor directly can create functions dynamically so what does that line actually mean when translated it means we can call this function directly we haven't given it a name but if we just add some function scopes on the end of this Anonymous function it will call a function so it's creating and calling the function in one line let's refresh the page now we get Hello World Echo to the console so thinking back to our exploit that we used in the lab you can hopefully get a feel for what the additional Scopes are actually doing they're calling the function directly now this doesn't explain everything about the payload because we still have the beginning of the payload which was eval or we can use on does the same thing then we have on dot Constructor now the question is what is that dot Constructor now hopefully familiar with the idea of constructive function within a class it's a piece of code that's executed when that class is created into a new object in other words it's a function or a method what we're looking at here is not a method it's a property of an object and remember when we were talking about inheritance and prototypes it's one of those properties that exists on objects and functions by default we can see a quick description here on MDM it says the Constructor data property of an object instance returns a reference to the Constructor function that created the instance object now if you were looking at the payload and thinking well this is not a property it must be a method because it's calling these function Scopes afterwards then just ignore that for now I'll get to that shortly this is not a method it is a property and we've just seen it returns a reference to the Constructor that created the object or the function that we're in now don't worry if you're confused let's just recreate the regular vanilla version of our test function so I'm going to say function test and all it's going to do is console.log hello world now we've created a function but there's going to be some inheritance here in other words that test function actually has some properties and as an experiment Let's console.log test dot Constructor to the console and let's see what we get and notice we get this function with the name of function remember we said it was a reference to the Constructor well however functions created behind the scenes by making use of that function Constructor which creates functions in other words we have a reference to that function Constructor function as weird as this seems we can actually use this to create new valid functions so I could do something like let my second function equals test.constructor then we pass let's create something arbitrary console.log let's call it hello second world whatever that means and now we're simply going to call that second function let's head to Firefox let's refresh the page so notice we get Halo's second world Echo to the console in other words this is syntactically equivalent to writing let my second function equals function and then the function in the string there that's because test.constructor returns a reference to the function that created this particular object which is the reference to the function Constructor itself so then we can pass whichever value we want as a string to create a new function so the question is how does everything tie together well let's play around with that angular App instead of calling one plus one let's call on or you can use a Val but the lab uses on on dot Constructor let's just check out on.constructor now if you remember when we were looking at the scope of this object and the inherited properties we saw that on is a function well how are functions created under the hood by using that JavaScript Constructor function in other words dollar on.constructor simply returns that JavaScript Constructor function okay let's just refresh the page notice we get function function look familiar that is the JavaScript Constructor function so since that Constructor property on our test function Returns the JavaScript Constructor function and so does on.constructor it Returns the JavaScript Constructor function that's why we can immediately provide function Scopes after Constructor so it's a property that returns a function which allows us to make use of these scope brackets we can then pass in the function that we want to create which is alert in this case and now hopefully we also understand why we need those additional function Scopes currently this is just creating a function using the JavaScript function Constructor but remember we said that we can dynamically create functions we can execute them immediately just by providing the additional function Scopes now the final question we might have is why is this specifically a vulnerability with angular why is this just not a vulnerability in terms of being able to inject JavaScript for example really logical question here is well let's just make use of function directly right let's just make use of function let's make use of alert and then let's call the function scope so it becomes executed immediately let's refresh the page doesn't work why doesn't it work presumably a security feature of angularjs he doesn't want malicious actors executing arbitrary JavaScript for obvious reasons that's the whole point behind cross-site scripting attacks we shouldn't be able to execute arbitrary JavaScript so we are bypassing the security by accessing a property within scope accessing The Constructor property which returns this function Constructor then we create our function and call it directly this is bypassing the security in this case so instead of function we're just calling an expression which returns that function which in this case is dollars dot on or dollar.val dock structure that returns a JavaScript Constructor function and we refresh the page we get the alert Echo to the page so one of the takeaways I really like from this lab you know aside from the fact that we get to do a slightly deeper dive on how angular works and how also some core functions of JavaScript work the other thing I really like is it just illustrates The Importance of Being a researcher hacking is not just about copying and pasting some kind of exploit into an input field somewhere it's about understanding what's taking place so that we can manipulate that particular payload and use it in slightly different environments the other interesting thing here is that this particular exploit appears to require some knowledge of angular so this is something that could easily be missed if we're just trying regular cross-site scripting payloads like just trying to inject an alert function for example we might miss the fact that there's a possible cross-site scripting vulnerability on this particular lab the other thing we might do here is we might be aware of angle brackets and figure that something's not quite right because when we put one plus one inside those curly brackets then that expression is passed and we actually get two Echo to the page so we might sense that something's not right with that but then struggle to be able to move to the next step where we have a full cross-site scripting attack so again we needed to understand a few basic features of how angular framework works and just JavaScript Frameworks in general so in this case we need to understand what is the scope and which particular functions are available inside that scope then also we were able to manipulate that because we understood what is a function Constructor in JavaScript and how it's different from the regular way that JavaScript developers will create functions all right thanks very much for watching hopefully you learned something about cross-site scripting something about angular and something about the way that JavaScript works thanks for watching guys