Detection: Cross-Site Scripting AngularJS Template
Overview
The AngularJS Template Injection detection identifies Cross-Site Scripting (XSS) attacks that specifically target AngularJS template expressions. This is a sophisticated attack vector where attackers inject malicious code using AngularJS's template syntax, such as double curly braces ({{ }}) and specialized directives.
This detection examines both HTTP requests and User-Agent headers for patterns indicating AngularJS template injection attempts. It focuses on identifying AngularJS-specific syntax and common attack patterns like {{ constructor.constructor() }} that can be used to execute arbitrary JavaScript in applications using AngularJS.
AngularJS template injection attacks are particularly dangerous because they can bypass traditional XSS filters that focus on HTML tags and JavaScript syntax. When AngularJS processes templates, it evaluates expressions within curly braces, potentially allowing attackers to execute arbitrary JavaScript if the application doesn't properly sanitize user inputs before incorporating them into templates.
Advanced AngularJS injection techniques often use methods like $eval or directives like ng-init to execute code. Attackers may also leverage JavaScript's prototype chain to access constructor functions and execute arbitrary code, even in environments with Content Security Policy (CSP) protections.
By examining both request URIs and User-Agent headers, this detection can identify attackers who attempt to evade security controls by hiding their template injection payloads in HTTP headers rather than request parameters. This comprehensive approach helps security teams identify sophisticated AngularJS template injection attempts targeting their web applications.
References:
Usage
Run the detection in your terminal:
powerpipe detection run apache_access_log_detections.detection.cross_site_scripting_angular_templateSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run apache_access_log_detections.detection.cross_site_scripting_angular_template --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp, request_method as operation, request_uri as resource, status, http_user_agent as actor, tp_source_ip as source_ip, tp_id as source_id, -- Create new aliases to preserve original row data status as status_src, timestamp as timestamp_src, * exclude (status, timestamp)from apache_access_logwhere ( request_uri is not null and ( -- Common AngularJS injection patterns request_uri ilike '%constructor.constructor%' or request_uri ilike '%$eval%' or request_uri ilike '%ng-init%' or request_uri ilike '%ng-bind%' or request_uri ilike '%ng-include%' ) ) OR ( http_user_agent is not null and ( -- Common AngularJS injection patterns http_user_agent ilike '%constructor.constructor%' or http_user_agent ilike '%$eval%' or http_user_agent ilike '%ng-init%' or http_user_agent ilike '%ng-bind%' or http_user_agent ilike '%ng-include%' ) )order by tp_timestamp desc;