Angular JS Sandbox Bypass – Stored XSS on RockStarGames

Is It Possible to POP an XSS Alert Without HTML ..??

Yes why not!..Here is it. After a cool sensitive database touch in Google Acquisition Appetas and bunch of other Yahoo bugs this was my nice finding that i’ve ever met.

Hey there, What is Angular JS..??

Yeah obviously everyone wanna know that right. A brief introduction is Angular JS is an open source JavaScript framework which was developed by big tech giant Google. No need to learn another scripting language. It’s just pure JavaScript and HTML. You can find more from blogs about it.

How to detect the possible injections ..??

Yeah that’s what next step after knowing little bit about Angular JS. Below are the simple steps to identify.

  • As simple as that through WhatWeb.
  • We can use Wappalyzer for web technologies detection.
  • Angular JS contains hell lot of expressions. For example if we inject {{1+2}} in firstname which results in 3 after saving it.
  • As the Angular JS is well known for template usage we may see often in sending automated mails. For example if you receive a mail saying “Hello Mr.R3boot, Welcome”. In this case we can go back to site and can try for all possible injections.

Sandboxing Feature in Angular JS:

There is only one concept where we need to look for – “”Sandbox””. Angular expressions are sandboxed to maintain a proper separation of application responsibilities. In order to exploit users, we need to break out of the sandbox and execute arbitrary JavaScript.

Proof Of Concept:

Let me take you through a practical approach that i’ve found in RockStarGames Support Blog.

Support blog will provide features like Q&A about RockStarGames and Other stuff.

After several duplicates that spammed my inbox which throwed me away from this program, a Quote “Never Give Up” called me again and pointed in opposite approach. One day i was just looking at the out of scope url’s that listed in RockStarGames Bug Bounty Policy suddenly my eye caught support site (support.rockstargames.com) which was actually in out of scope (Jul 6th (4 months ago)).

Whatever let’s see – I simply went and created a post.

In wappalyzer i’ve observed that the site is using Angular JS templates to maintain the posts and comments as well. So i quickly intercepted to see how it’s happenning.

The request is having my comment as below

<p>test</p>

So quickly i tried all possible payloads to trigger the alert but that’s not the case here. Rockstargames having strong “blocklisting” character set. This highlighted word caught my eye again. As the most of blocklisting features are bypassed i thought immediately to get the one. So now i’ve only one possibility “No Scripts and No HTML tags” i need to form a payload.

A nice post written and posted by Burp Community is here about how to bypass sandbox and get the xss. So i’ve tried couple of payloads and below is my final payload that helped me to bypass this sandbox.

{{
    c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
    c.$apply=$apply;c.$eval=b;op=$root.$$phase;
    $root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
    C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
    B=C(b,c,b);$evalAsync("
    astNode=pop();astNode.type='UnaryExpression';
    astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
    astNode.argument={type:'Identifier',name:'foo'};
    ");
    m1=B($$asyncQueue.pop().expression,null,$root);
    m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
    $eval('a(b.c)');[].push.apply=a;
}}

This URL Encoded payload ended up without any HTML Encoding happily i was able to prompt it.

 

But main problem is “Support.rockstargames.com” was out of scope at the time when i’ve found this. Later i can say it was my luck they updated their policy including support blog and it’s patched now.

Timeline:

  • Reported   —  Sep 1st (2 months ago)
  • Triaged     —  Sep 7th (2 months ago)
  • Rewarded $1000  —  Sep 19th (about 1 month ago)
  • Patched  —-   Oct 30th (15 hrs ago)

References:

  • My Report – Angular JS XSS
  • Awesome post by Burp – XSS Without HTML
  • $3000 for XSS in Uber via Angular JS
  • WordPress also affected – XSS

Leave A Comment

Your email address will not be published. Required fields are marked *