Hello everyone! It’s an XSS writeup that you can learn from, quite an odd one. In this blog, I am sharing one of my findings that you all need to concentrate on.
I got this issue from a private program in HackerOne and it's quite interesting.
In this program, I am getting only one domain which has a login page with registration. After registering to the application, I tried to fetch bugs such as csrf, IDOR, SQL, etc but I didn’t find anything interesting.
My last step was to check for XSS, then I started to search for parameters but no results.
I checked the source code in the browser. I started looking for hidden parameters, then I found a parameter named “next”.
I tried injecting XSS payloads into it, but nothing worked.
Then I noticed that this website is built using Angular. I recently read an article about Client Side Template Injection (CSTI). After reading the HackTricks article, I experiment with code injection payloads.
Start with the basic query, which is {{7*7}}. I tried injecting that, but nothing happened. I gave up and tried to log in to the application, but in the URL returned “49”.
I finally got a response. In the following step, I inserted the XSS payload mentioned in Hackarticles for Angular JS.
Woolaaaa….got a pop-up finally..!!
Reported it with POC and showed an impact for cookie stealing that leads to account compromise.
Remediation
- The next parameter should not be controlled by users.
- Preferably set httponly cookies so that javascript can not be used to steal cookies.
Tips:
Never forget to look for hidden parameters in the source code. click view source code and search for “hidden”, “input”, or “var” parameters.
Recommend payload for CSTI:
AngularJS:
{{$on.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}
<input ng-focus=$event.view.alert('XSS')>
{{constructor.constructor('alert(1)')()}}
<input ng-focus=$event.view.alert('XSS')>
VueJS:
V3:
{{_openBlock.constructor('alert(1)')()}}
V2:{{constructor.constructor('alert(1)')()}}
That’s it. See you in the next write-up.
Connect me on LinkedIn
Timeline
16:08, 10 Sep 2022: Reported the bug