2024-03-16 18:44:49 +00:00
|
|
|
id: angular-client-side-template-injection
|
|
|
|
|
|
|
|
|
|
info:
|
|
|
|
|
name: Angular Client-side-template-injection
|
|
|
|
|
author: theamanrawat
|
|
|
|
|
severity: high
|
|
|
|
|
reference:
|
|
|
|
|
- https://www.acunetix.com/vulnerabilities/web/angularjs-client-side-template-injection/
|
|
|
|
|
- https://portswigger.net/research/xss-without-html-client-side-template-injection-with-angularjs
|
2024-03-23 09:32:51 +00:00
|
|
|
tags: angular,csti,dast
|
2024-03-16 18:44:49 +00:00
|
|
|
|
|
|
|
|
variables:
|
|
|
|
|
first: "{{rand_int(1000, 9999)}}"
|
|
|
|
|
second: "{{rand_int(1000, 9999)}}"
|
|
|
|
|
result: "{{to_number(first)*to_number(second)}}"
|
|
|
|
|
|
|
|
|
|
headless:
|
|
|
|
|
- steps:
|
|
|
|
|
- action: navigate
|
|
|
|
|
args:
|
|
|
|
|
url: "{{BaseURL}}"
|
|
|
|
|
- action: waitload
|
|
|
|
|
|
|
|
|
|
payloads:
|
|
|
|
|
payload:
|
|
|
|
|
- '{{concat("{{", "{{first}}*{{second}}", "}}")}}'
|
|
|
|
|
|
|
|
|
|
fuzzing:
|
|
|
|
|
- part: query
|
|
|
|
|
type: postfix
|
|
|
|
|
mode: single
|
|
|
|
|
fuzz:
|
|
|
|
|
- "{{payload}}"
|
|
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
|
- type: word
|
|
|
|
|
part: body
|
|
|
|
|
words:
|
|
|
|
|
- "{{result}}"
|
