2024-03-17 00:14:49 +05:30
|
|
|
id: angular-client-side-template-injection
|
|
|
|
|
|
|
|
|
|
info:
|
|
|
|
|
name: Angular Client-side-template-injection
|
|
|
|
|
author: theamanrawat
|
|
|
|
|
severity: high
|
2024-04-08 12:15:08 +05:30
|
|
|
description: |
|
|
|
|
|
Detects Angular client-side template injection vulnerability.
|
|
|
|
|
impact: |
|
|
|
|
|
May lead to remote code execution or sensitive data exposure.
|
|
|
|
|
remediation: |
|
|
|
|
|
Sanitize user inputs and avoid using user-controlled data in template rendering.
|
2024-03-17 00:14:49 +05:30
|
|
|
reference:
|
|
|
|
|
- https://www.acunetix.com/vulnerabilities/web/angularjs-client-side-template-injection/
|
|
|
|
|
- https://portswigger.net/research/xss-without-html-client-side-template-injection-with-angularjs
|
2024-04-08 12:15:08 +05:30
|
|
|
tags: angular,csti,dast,headless,xss
|
2024-03-17 00:14:49 +05:30
|
|
|
|
|
|
|
|
variables:
|
|
|
|
|
first: "{{rand_int(1000, 9999)}}"
|
|
|
|
|
second: "{{rand_int(1000, 9999)}}"
|
|
|
|
|
result: "{{to_number(first)*to_number(second)}}"
|
|
|
|
|
|
|
|
|
|
headless:
|
|
|
|
|
- steps:
|
|
|
|
|
- action: navigate
|
|
|
|
|
args:
|
|
|
|
|
url: "{{BaseURL}}"
|
2024-04-08 12:15:08 +05:30
|
|
|
|
2024-03-17 00:14:49 +05:30
|
|
|
- action: waitload
|
|
|
|
|
|
|
|
|
|
payloads:
|
|
|
|
|
payload:
|
|
|
|
|
- '{{concat("{{", "{{first}}*{{second}}", "}}")}}'
|
|
|
|
|
|
|
|
|
|
fuzzing:
|
|
|
|
|
- part: query
|
|
|
|
|
type: postfix
|
|
|
|
|
mode: single
|
|
|
|
|
fuzz:
|
|
|
|
|
- "{{payload}}"
|
|
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
|
- type: word
|
|
|
|
|
part: body
|
|
|
|
|
words:
|
|
|
|
|
- "{{result}}"
|
2024-12-01 13:57:55 +00:00
|
|
|
# digest: 4a0a00473045022020e22f3aa1d49de743347240f3cfc2d4aaa31d402183612be52fd033f51e0792022100a2ed81987f5a5c068275bcf09d505c3582738155068ebb6511cea83023af40c1:922c64590222798bb761d5b6d8e72950
|
