search

tijme / angularjs-csti-scanner

Automated client-side template injection (sandbox escape/bypass) detection for AngularJS v1.x.
MIT License
291 stars 86 forks source link

Initial requests from ACSTIS ignoring the proxy settings #7

Closed jovyn closed 6 years ago

jovyn commented 6 years ago

I noticed that intial requests sent by the acstis do not obey the proxy settings mentioned in the extended.py file.

In order to demonstrate this I set my system proxy to Fiddler (localhost:8888) and entered the proxy settings in extended.py to Burpsuite (localhost:8080) 

extended.py  <proxy settings>
options.identity.proxies = {
    # No authentication
     'http': 'http://127.0.0.1:8080',
     'https': 'http://127.0.0.1:8080',
}

On running acstis with proper Burp certificates I get the following output 

PS C:\FooBar\Tools\Angular-CSTI-Scanner\> python extended.py -c -d "https://owaspjuiceshop221b.herokuapp.com/#/search" -tc "C:\Foobar\Path\To\Certificates\Burp_Cert.pem"

  /$$$$$$   /$$$$$$   /$$$$$$  /$$$$$$$$ /$$$$$$  /$$$$$$
 /$$__  $$ /$$__  $$ /$$__  $$|__  $$__/|_  $$_/ /$$__  $$
| $$  \ $$| $$  \__/| $$  \__/   | $$     | $$  | $$  \__/
| $$$$$$$$| $$      |  $$$$$$    | $$     | $$  |  $$$$$$
| $$__  $$| $$       \____  $$   | $$     | $$   \____  $$
| $$  | $$| $$    $$ /$$  \ $$   | $$     | $$   /$$  \ $$
| $$  | $$|  $$$$$$/|  $$$$$$/   | $$    /$$$$$$|  $$$$$$/
|__/  |__/ \______/  \______/    |__/   |______/ \______/

Version 3.0.1 - Copyright 2017 Tijme Gommers <tijme@finnwea.com>

[INFO] Looking for AngularJS version using a headless browser.
[INFO] Waiting until DOM is completely loaded.
[INFO] Found AngularJS version 1.5.11.
[INFO] Angular CSTI scanner started.
[INFO] Scanning https://owaspjuiceshop221b.herokuapp.com/#/search

At this point before the first request is being sent to Burp the following requests are going via Fiddler (That shows that the acstis scanner is ignoring the proxy settings and using the system proxy settings).

Fiddler Requests log:

#   Result  Protocol    Host    URL Body    Caching Content-Type    Process Comments    Custom  

1   200 HTTP    127.0.0.1:64799 /wd/hub/session 533     application/json;charset=UTF-8  python:8548         
2   200 HTTP    127.0.0.1:64799 /wd/hub/session/fbab6230-9d35-11e7-89f3-b53578fff108/url    74      application/json;charset=UTF-8  python:8548         
3   200 HTTP    Tunnel to   owaspjuiceshop221b.herokuapp.com:443    0           win-2.1.1:8532          
4   200 HTTPS   owaspjuiceshop221b.herokuapp.com    /   12,489  public, max-age=0   text/html; charset=UTF-8    win-2.1.1:8532          
6   200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/bootswatch/slate/bootstrap.min.css    142,322 public, max-age=0   text/css; charset=UTF-8 win-2.1.1:8532          
7   200 HTTP    Tunnel to   owaspjuiceshop221b.herokuapp.com:443    0           win-2.1.1:8532          
8   200 HTTP    Tunnel to   owaspjuiceshop221b.herokuapp.com:443    0           win-2.1.1:8532          
9   200 HTTP    Tunnel to   owaspjuiceshop221b.herokuapp.com:443    0           win-2.1.1:8532          
10  200 HTTP    Tunnel to   owaspjuiceshop221b.herokuapp.com:443    0           win-2.1.1:8532          
11  200 HTTP    Tunnel to   owaspjuiceshop221b.herokuapp.com:443    0           win-2.1.1:8532          
12  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/fontawesome/css/font-awesome.min.css  31,000  public, max-age=0   text/css; charset=UTF-8 win-2.1.1:8532          
13  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/flag-icon-css/css/flag-icon.min.css   33,481  public, max-age=0   text/css; charset=UTF-8 win-2.1.1:8532          
14  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/github-fork-ribbon-css/gh-fork-ribbon.css 3,546   public, max-age=0   text/css; charset=UTF-8 win-2.1.1:8532          
15  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /css/app.css    460 public, max-age=0   text/css; charset=UTF-8 win-2.1.1:8532          
16  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /socket.io/socket.io.js 61,211      application/javascript  win-2.1.1:8532          
17  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/underscore/underscore.js  52,919  public, max-age=0   application/javascript  win-2.1.1:8532          
18  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/string/dist/string.min.js 27,717  public, max-age=0   application/javascript  win-2.1.1:8532          
19  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/moment/min/moment.min.js  51,465  public, max-age=0   application/javascript  win-2.1.1:8532          
20  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/jquery/dist/jquery.min.js 86,659  public, max-age=0   application/javascript  win-2.1.1:8532          
21  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/bootstrap/dist/js/bootstrap.min.js    37,045  public, max-age=0   application/javascript  win-2.1.1:8532          
22  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/angular/angular.min.js    163,188 public, max-age=0   application/javascript  win-2.1.1:8532          
23  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/angular-translate/angular-translate.min.js    23,733  public, max-age=0   application/javascript  win-2.1.1:8532          
24  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/angular-translate-loader-static-files/angular-translate-loader-static-files.min.js    1,371   public, max-age=0   application/javascript  win-2.1.1:8532          
25  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/angular-route/angular-route.min.js    4,786   public, max-age=0   application/javascript  win-2.1.1:8532          
26  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/angular-cookies/angular-cookies.min.js    1,448   public, max-age=0   application/javascript  win-2.1.1:8532          
27  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/angular-touch/angular-touch.min.js    4,042   public, max-age=0   application/javascript  win-2.1.1:8532          
28  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/angular-animate/angular-animate.min.js    25,722  public, max-age=0   application/javascript  win-2.1.1:8532          
29  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/angular-bootstrap/ui-bootstrap.min.js 100,829 public, max-age=0   application/javascript  win-2.1.1:8532          
30  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/angular-bootstrap/ui-bootstrap-tpls.min.js    122,900 public, max-age=0   application/javascript  win-2.1.1:8532          
31  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/ng-file-upload/ng-file-upload-shim.min.js 7,262   public, max-age=0   application/javascript  win-2.1.1:8532          
32  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/ng-file-upload/ng-file-upload.min.js  37,495  public, max-age=0   application/javascript  win-2.1.1:8532          
33  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/angular-socket-io/socket.min.js   1,291   public, max-age=0   application/javascript  win-2.1.1:8532          
34  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/clipboard/dist/clipboard.min.js   10,286  public, max-age=0   application/javascript  win-2.1.1:8532          
35  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/ngclipboard/dist/ngclipboard.min.js   640 public, max-age=0   application/javascript  win-2.1.1:8532          
36  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/angular-base64/angular-base64.js  5,844   public, max-age=0   application/javascript  win-2.1.1:8532          
37  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/qrcode-generator/js/qrcode.js 45,006  public, max-age=0   application/javascript  win-2.1.1:8532          
38  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/angular-qrcode/angular-qrcode.js  5,267   public, max-age=0   application/javascript  win-2.1.1:8532          
39  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /dist/juice-shop.min.js 100,409 public, max-age=0   application/javascript  win-2.1.1:8532          
40  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/JuiceShop_Logo.png   99,456  public, max-age=0   image/png   win-2.1.1:8532          
41  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /socket.io/?EIO=3&transport=polling&t=LwQ76v4   104     text/plain; charset=UTF-8   win-2.1.1:8532          
42  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /i18n/en.json   5,977   public, max-age=0   application/json    win-2.1.1:8532          
43  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /i18n/en_US.json    12,489  public, max-age=0   text/html; charset=UTF-8    win-2.1.1:8532          
44  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /rest/admin/application-version 19      application/json; charset=utf-8 win-2.1.1:8532          
45  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /rest/admin/application-configuration   5,894       application/json; charset=utf-8 win-2.1.1:8532          
46  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /rest/product/search?q=undefined    7,414       application/json; charset=utf-8 win-2.1.1:8532          
47  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/%7B%7Bproduct.image%7D%7D   12,489  public, max-age=0   text/html; charset=UTF-8    win-2.1.1:8532          
48  200 HTTP    Tunnel to   owaspjuiceshop221b.herokuapp.com:443    0           win-2.1.1:8532          
49  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /bower_components/fontawesome/fonts/fontawesome-webfont.ttf?v=4.7.0 165,548 public, max-age=0   application/x-font-ttf  win-2.1.1:8532          
50  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /socket.io/?EIO=3&transport=polling&t=LwQ76y_&sid=Fej1KnRWts7JTzq8AAAA  23      text/plain; charset=UTF-8   win-2.1.1:8532          
51  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/apple_juice.jpg 14,827  public, max-age=0   image/jpeg  win-2.1.1:8532          
52  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/apple_pressings.jpg 50,981  public, max-age=0   image/jpeg  win-2.1.1:8532          
53  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/banana_juice.jpg    11,276  public, max-age=0   image/jpeg  win-2.1.1:8532          
54  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/carrot_juice.jpeg   21,811  public, max-age=0   image/jpeg  win-2.1.1:8532          
55  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/eggfruit_juice.jpg  25,715  public, max-age=0   image/jpeg  win-2.1.1:8532          
56  101 HTTPS   owaspjuiceshop221b.herokuapp.com    /socket.io/?EIO=3&transport=websocket&sid=Fej1KnRWts7JTzq8AAAA  0           win-2.1.1:8532          
57  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/white_raffards.jpg  26,353  public, max-age=0   image/jpeg  win-2.1.1:8532          
58  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/fruit_press.jpg 23,082  public, max-age=0   image/jpeg  win-2.1.1:8532          
59  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/green_smoothie.jpg  16,661  public, max-age=0   image/jpeg  win-2.1.1:8532          
60  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/artwork.jpg 634,687 public, max-age=0   image/jpeg  win-2.1.1:8532          
61  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/lemon_juice.jpg 14,393  public, max-age=0   image/jpeg  win-2.1.1:8532          
62  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/melon_bike.jpeg 36,673  public, max-age=0   image/jpeg  win-2.1.1:8532          
63  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/fan_girlie.jpg  19,501  public, max-age=0   image/jpeg  win-2.1.1:8532          
64  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/ctf_sticker.png 25,877  public, max-age=0   image/png   win-2.1.1:8532          
65  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/fan_hoodie.jpg  19,566  public, max-age=0   image/jpeg  win-2.1.1:8532          
66  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/3d_keychain.jpg 20,483  public, max-age=0   image/jpeg  win-2.1.1:8532          
67  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/fan_mug.jpg 16,255  public, max-age=0   image/jpeg  win-2.1.1:8532          
68  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/sticker_facelift.png    30,851  public, max-age=0   image/png   win-2.1.1:8532          
69  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/fan_shirt.jpg   14,682  public, max-age=0   image/jpeg  win-2.1.1:8532          
70  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/owasplogo.png   18,505  public, max-age=0   image/png   win-2.1.1:8532          
71  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/owasp_osaft.jpg 21,488  public, max-age=0   image/jpeg  win-2.1.1:8532          
72  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/orange_juice.jpg    37,636  public, max-age=0   image/jpeg  win-2.1.1:8532          
73  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/quince.jpg  18,711  public, max-age=0   image/jpeg  win-2.1.1:8532          
74  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/raspberry_juice.jpg 21,058  public, max-age=0   image/jpeg  win-2.1.1:8532          
75  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/strawberry_juice.jpeg   18,047  public, max-age=0   image/jpeg  win-2.1.1:8532          
76  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /public/images/products/woodruff_syrup.jpg  96,062  public, max-age=0   image/jpeg  win-2.1.1:8532          
77  200 HTTPS   owaspjuiceshop221b.herokuapp.com    /socket.io/?EIO=3&transport=polling&t=LwQ773s&sid=Fej1KnRWts7JTzq8AAAA  3       text/plain; charset=UTF-8   win-2.1.1:8532          
78  200 HTTP    127.0.0.1:64799 /wd/hub/session/fbab6230-9d35-11e7-89f3-b53578fff108/execute    80      application/json;charset=UTF-8  python:8548         
79  200 HTTP    127.0.0.1:64799 /wd/hub/session/fbab6230-9d35-11e7-89f3-b53578fff108    74      application/json;charset=UTF-8  python:8548

Now in case if certain web-apps (Read: Client Apps) are only accessible through a certain proxy (eg. Client Proxy) and if its not possible to set this proxy as the system proxy. Then despite setting the proxy (Client Proxy) in extended.py we get the below error. 

  /$$$$$$   /$$$$$$   /$$$$$$  /$$$$$$$$ /$$$$$$  /$$$$$$
 /$$__  $$ /$$__  $$ /$$__  $$|__  $$__/|_  $$_/ /$$__  $$
| $$  \ $$| $$  \__/| $$  \__/   | $$     | $$  | $$  \__/
| $$$$$$$$| $$      |  $$$$$$    | $$     | $$  |  $$$$$$
| $$__  $$| $$       \____  $$   | $$     | $$   \____  $$
| $$  | $$| $$    $$ /$$  \ $$   | $$     | $$   /$$  \ $$
| $$  | $$|  $$$$$$/|  $$$$$$/   | $$    /$$$$$$|  $$$$$$/
|__/  |__/ \______/  \______/    |__/   |______/ \______/

Version 3.0.1 - Copyright 2017 Tijme Gommers <tijme@finnwea.com>

[INFO] Looking for AngularJS version using a headless browser.
[INFO] Waiting until DOM is completely loaded.
[ERROR] Couldn't determine the AngularJS version (`angular.version.full` threw an exception).
[ERROR] If you are certain this URL uses AngularJS, specify the version via the `--angular-version` argument.

This error occurs as ACSTIS sends the intial requests to the target site via the system proxy and since the target site is not reachable it results in an error.

tijme commented 6 years ago

@jovyn Thank you for reporting this issue. I'll try to look at it soon.

tijme commented 6 years ago

Hi @jovyn, I fixed the issue on the develop branch. It will be released to the master branch when the other two issues are fixed.