[Question] How to pentest an AngularJS based SPA (Single Page Application)

[Sanjeev Kumar Jaiswal]

Hi All,

I am trying to Pentest an application which is built in AngularJS. The difficulties that I am facing:

1. Burp Suite's "spider this host" option is not able to crawl all the urls as most of the requests are AJAX and Angular based. 
   
2. When I am trying manually to parse all the links using Burp Suite. It is able to parse only home page link. Rest clicks are not intercepted.
   
3. I am not able to get the contents of the  templates used for various layouts. Like: "App/src/dashboard/Menu/Menu.box.tpl.html" is one of the template used in Angular Directive. But how to parse its html contents. (Just like we get html source for general parsed urls).
   

Here, Acunetix was bit helpful to give the brief idea how the application is parsing the contents. But for manual pentest I am not getting proper solution like which tools, methods etc I should use.

Please guide me if anyone knows about Angular App pentesting methodologies.

Is there any link/resource/tutorials out there for AngularJS app pentest?

Regards,

Sanjeev (Jassi)

[Akash]

Hi Sanjeev,

1. Are you able to see any data that the front-end is sending to the backend in the browser devtools network tab?
   
2. I don't understand when you say parse all links in Burp Suite. What do you intend to do after parsing the links?

--
______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
______________________________________________________________________________
se7enth edition of nullcon Goa (Mar 9-12, 2016)
http://nullcon.net
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
Visit this group at https://groups.google.com/group/null-co-in.
For more options, visit https://groups.google.com/d/optout.

--

Warm regards,
Akash Mahajan

That Web Application Security Guy | +91 99 805 271 82
akashm.com | @makash on twitter | linkd.in/webappsecguy
OWASP Bangalore Chapter Lead | null Community Manager

[Sanjeev Kumar Jaiswal]

Hi Akash,

First of thank you for your response and my apologies if I ask very naive question.

Here is the answer to your 2 questions.

1. Are you able to see any data that the front-end is sending to the backend in the browser devtools network tab?

Yes, as I said manually I am getting where the link and data are heading. But BurpSuite is not able to crawl those links automatically under "spider this host" option.

It is only able to crawl those urls which are at primary level and not nested which is very common in SPA based projects.

Although I found one plugin for  BurpSuite named as burpkit which is a BurpSuite plugin which helps in assessing complex web apps that render the contents of their pages dynamically (JS based like Angular).

2. I don't understand when you say parse all links in Burp Suite. What do you intend to do after parsing the links?

After spidering the host, I wanted to analyse each urls response and if possible would send some of those urls in repeaters and sequencer.

Chances are developers may miss proper authentication, encryption etc in at least one of those urls. 

So, more urls I would be able to crawl, more chances are to avoid false positive result that site is safe.

Additional Information

This blog also helped much in debugging Angular App manually. I hope this will help others as well.
It helped in finding one business logic flaw. I would try to share the article soon.

I asked the same question in security exchange also. Sharing the link here (got one good answer there): 

Regards,

Sanjeev

[Akash]

Just wondering if you proxy the application through burp (don't intercept it) won't you be able to see all the requests being sent through to the server and the responses?

[Sanjeev Kumar Jaiswal]

That is the first step I always do when I start Burpsuite and yes Intercept was on.

This usually happens when links are dynamically created by JavaScript or its framework like Node, Angular, Express etc in SPA

main url could be like abc.com/#/
Now if you try to click any link inside the app it would lets say would go to abc.com/#/dashboard?browse=all

It didn't intercept this. This is common on SPA and expected indeed.

Automated tool generally ignore anything after #. This is called fragment Identifier 

But in angular we can again retrieve it by $location.hash() function.

Once I pentest in public domain developed in Angular + Node or Angular + ASP.NET I would personally ping you :)

Regards,

Sanjeev

[Taher Barodawala]

Hi Sanjeev,

This problem occurs in SPA where a good part of business logic is in client side JS files.

I had used Chrome developer tools to set breakpoints at appropriate intervals in an important JS file that the application downloaded and used the console to manipulate JS variables. 

Check the Sources tab for such JS files. 

For the AJAX requests that are sent back to the server, use AJAX spider extension in OWASP ZAP. 

[Anant Shrivastava]

I remember OWASP ZAP seems to have AJAX Crawling facility (refer http://guifreruiz.blogspot.in/2012/08/pentesting-webapps-with-zap-and-its-ajax-spider-plugin.html)

for burp  all i can find is : http://blog.malerisch.net/2013/09/burpcsj-tutorial-using-crawljax.html  this relies on crawljax 

also have a look at https://www.owasp.org/index.php/OWASP_AJAX_Crawling_Tool

Anant Shrivastava 
Web : http://anantshri.info

[Akash]

Maybe I haven't understood the question or possibly my knowledge is limited here. 

Consider that we are talking about finding security issues (maybe OWASP Top 10?) in an application that is running in the browser and might have some data exchange with the backend server. 

So at this point, what exactly would you be able to pen test.

1. XSS issues

2. Injection if the data store is in the browser

3. Not sure if auth issues can be tested unless some data (JSON?) is exchanged 

[Sanjeev Kumar Jaiswal]

Thanks Anant. I will check and explore OWASP_AJAX_Crawling_Tool 

It will solve some of my work assignment for sure :D

[Sanjeev Kumar Jaiswal]

Thanks Akash, Anant and Taher for your time and response.

Yes Akash, I would be able to test and find security issues related to OWASP TOP 10.

Just learning AngularJS programming for better hold on AngularJS Security to understand developers mind :)

@Taher,

Yes, currently I am doing the same as your suggested and getting success also. But at some stage we need to automate such attack apart from business logic flaw.

So, I was bit concerned, if any tool is available explicitly for this.

I would go through AJAX spider extension in OWASP ZAP.

Thanks all once again.

Regards,

Sanjeev

[Akash]

I am guessing you have already gone through this resource as well.

http://www.slideshare.net/x00mario/an-abusive-relationship-with-angularjs

https://www.youtube.com/watch?v=wzrojHHyQwc

[Sanjeev Kumar Jaiswal]

I had gone through the ppt but nto through the youtube video of his talk.

Thanks for sharing the link. It will be more useful and informative, bookmarking this video.

Regards,

Sanjeev

[Akash]

Found this link today.

http://seclist.us/htcap-is-a-web-app-scanner-single-page-application-spa-in-a-recursive-manner-by-intercepting-ajax-calls-dom-changes.html

[Sanjeev Kumar Jaiswal]

Yes I found this while asking questions with you security geeks. Thank you so much for recommending this link.
I will write one post for the similar question where all such links resources would be at one place.

Regards,
Sanjeev