2024-03-16 18:44:49 +00:00
|
|
|
id: angular-client-side-template-injection
|
|
|
|
|
|
|
|
|
|
info:
|
|
|
|
|
name: Angular Client-side-template-injection
|
|
|
|
|
author: theamanrawat
|
|
|
|
|
severity: high
|
2024-04-08 06:45:08 +00:00
|
|
|
description: |
|
|
|
|
|
Detects Angular client-side template injection vulnerability.
|
|
|
|
|
impact: |
|
|
|
|
|
May lead to remote code execution or sensitive data exposure.
|
|
|
|
|
remediation: |
|
|
|
|
|
Sanitize user inputs and avoid using user-controlled data in template rendering.
|
2024-03-16 18:44:49 +00:00
|
|
|
reference:
|
|
|
|
|
- https://www.acunetix.com/vulnerabilities/web/angularjs-client-side-template-injection/
|
|
|
|
|
- https://portswigger.net/research/xss-without-html-client-side-template-injection-with-angularjs
|
2024-04-08 06:45:08 +00:00
|
|
|
tags: angular,csti,dast,headless,xss
|
2024-03-16 18:44:49 +00:00
|
|
|
|
|
|
|
|
variables:
|
|
|
|
|
first: "{{rand_int(1000, 9999)}}"
|
|
|
|
|
second: "{{rand_int(1000, 9999)}}"
|
|
|
|
|
result: "{{to_number(first)*to_number(second)}}"
|
|
|
|
|
|
|
|
|
|
headless:
|
|
|
|
|
- steps:
|
|
|
|
|
- action: navigate
|
|
|
|
|
args:
|
|
|
|
|
url: "{{BaseURL}}"
|
2024-04-08 06:45:08 +00:00
|
|
|
|
2024-03-16 18:44:49 +00:00
|
|
|
- action: waitload
|
|
|
|
|
|
|
|
|
|
payloads:
|
|
|
|
|
payload:
|
|
|
|
|
- '{{concat("{{", "{{first}}*{{second}}", "}}")}}'
|
|
|
|
|
|
|
|
|
|
fuzzing:
|
|
|
|
|
- part: query
|
|
|
|
|
type: postfix
|
|
|
|
|
mode: single
|
|
|
|
|
fuzz:
|
|
|
|
|
- "{{payload}}"
|
|
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
|
- type: word
|
|
|
|
|
part: body
|
|
|
|
|
words:
|
|
|
|
|
- "{{result}}"
|
2024-04-08 07:07:11 +00:00
|
|
|
# digest: 4a0a00473045022100adfe788d650a997bddf7f4876f1308a9d1ea62d43e7b90abca139f455492d4e902203223d59aac1aa4374770127adface5ccebfd4a4dc8fdfef8b240578bf7b6df72:922c64590222798bb761d5b6d8e72950
|
