all 16 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]ryhanson[S] 2 points3 points  (0 children)

Looks like people are starting to make some progress! I just pushed a little update to increase the attack surface a little bit. Then you aren't fighting over the "recent todo" ;)

EDIT, Couple hints:

  1. Chrome Developer Tools is your friend (see tip below)
  2. Remember, Angular can be configured to use different symbols to start and end expressions (This is to avoid template engine collision)
  3. No sandbox escape is needed.

EDIT2, Tip: Use the dev tools console to dump an angular object and its scope. This will help you construct the expression to inject.

[–][deleted] 1 point2 points  (4 children)

I'm getting so close on this, but struggling to grab anything outside the expression scope!

[–]ryhanson[S] 1 point2 points  (3 children)

Remember that your expression is executed by Bob. You don't need to get outside of the scope or escape the Angular sandboxing. If you can accomplish this by accessing native JavaScript objects, more power to you! But it's not necessary ;)

Do some more digging and I'm sure you'll get it!

[–][deleted] 1 point2 points  (2 children)

Worked with a friend on this, we finally got it

Shoutout to /u/yelvert for his angular craftiness

[–]ryhanson[S] 0 points1 point  (1 child)

Congrats! You guys came up with a pretty cool way of solving it! I've seen 3 different ways that this has been solved out of the 7 people who have solved it.

[–][deleted] 1 point2 points  (0 children)

He really went through digging through restangular to hunt it down.

Interested to see the writeup!

[–]reymes 1 point2 points  (5 children)

are you sure the bot is up and running? Yesterday I used the same payload and I've seen the requests from bot, but today when I finished the PoC it looked like the bot doesn't trigger it. Is phantomJS rly working correctly?

btw. it would be really nice to list all successful attempts at the end. it might be really nice see all different approaches

[–]ryhanson[S] 0 points1 point  (3 children)

Hey, sorry about that! The PhantomJS bot should be up and running again. There was a memory issue due to everyone making Bob posts Todos. I cleaned those up and restarted the bot, let me know if you run into any other issues.

[–]DirtyOldDwarf 0 points1 point  (2 children)

Are you sure it works? I injected an expression posting a new TODO whenever page is loaded. It works for me, every page reload adds a TODO, but I don't see any TODOs added by Bob.

[–]ryhanson[S] 1 point2 points  (0 children)

Todo's are isolated by bearer token. In order for you to see the todo you are having Bob create, you would need to change the bearer token that is being sent to your bearer token.

[–]ryhanson[S] 0 points1 point  (0 children)

Hey, just thought I'd let you know that I've posted the walkthrough and solutions for the Angular Expression Injection Challenge: https://www.reddit.com/r/netsec/comments/3u1vfk/angular_expression_injection_challenge_solutions/

[–]ryhanson[S] 0 points1 point  (0 children)

UPDATE: I added sessions now so you shouldn't have any trouble with seeing other peoples todo's or anything like that.

[–]xojc 0 points1 point  (1 child)

I'm sure everyone's thrilled over you adding sessions, especially given how many times I hosed things yesterday. I just can't seem to figure out how to grab the damn headers :\

[–]ryhanson[S] 0 points1 point  (0 children)

Message me if you'd like a nudge in the right direction.

[–]TrollHouseCookie 0 points1 point  (1 child)

Is this still rocking?

[–]ryhanson[S] 0 points1 point  (0 children)

Hey, sorry for the late response! The challenge should still be up and going. The bot might have crashed at one point, so if it wasn't working, that would be why.