Sharing Top Content from the Angular-sphere.

tom0x0a — XSS using AngularJS sandbox bypass

  • Hi there security researchers 😀 Today I’m gonna share about how did I get an XSS using AngularJS sandbox bypass 😀

    Before I start, I want to say a big thanks to portswigger and to all the contributors where I found those bypasses.

  • In case you don’t know WordPress.org is running its bug bounty program in HackerOne so if you found a vulnerability in wordpress.org you can report it to them through their security page in hackerone just read the policies carefully and get some $$$ if the vulnerability you found is valid 😀

    During my recon I tend to view it’s source code, maybe their are some good information I can get 😛 One thing that would catch my attention every time is that if there is:

    So after reviewing the source code of I found those two mentioned above, so the next step is to try to inject the bypasses that can be found in Portswigger’s blog.

  • The swag store has its search bar 😀 great way to inject our payload

    Luckily in my first attempt using the bypass by @cure53 worked and then my chair starts to shake 😀 😀

    This is the payload I used:

    After loading in the browser a pop up occur with the domain name

    Then I reported it to the security team and the issue was fixed in 3 working days 😀 then a month after a bounty is rewarded.

  • I have also found 2 stored XSS but it is self :3 both was already resolved and waiting only for the bounty 😀

    But during my test I did not only inject the payload used by cure53, I also inject the payload used by albinowax in his report in Uber the payload can be seen But there are times that all those payload won’t work if you just put it directly :3.

  • Thank you for taking some time to read this guys I hope I help some of you 😀 just keep on searching and if you found a bypass in angularjs I would be glad to hear it if you can share it with me also, you can DM me in my let’s share some ideas 😀

    I’m not that good in web application security but I love to share this because for me it is so amazing and I hope someone out there learned also through this blog 😀

    Sometimes visit my friends blog for more Security talks

    Best Regards to all the Security Researcher’s out there.

XSS using AngularJS sandbox bypass Hi there security researchers 😀 Today I’m gonna share about how did I get an XSS using AngularJS sandbox bypass 😀 Before I start, I want to say a big thanks to…

@timzaverin: published my first blog post in my report in @WordPress and got listed 2nd place intheir hall of fame @Hacker0x01

Hi there, I’m Tom Chris I made this blog to share some talks about Web Applications Security. I am from Philippines. I’m currently participating in HackerOne. Im not that kind of experienced hacker because I’m a newbie, I just want to share my findings because for me it’s amazing. You can find my hackerone profile here /codertom

Hi there security researchers 😀 Today I’m gonna share about how did I get an XSS using AngularJS sandbox bypass 😀

Before I start, I want to say a big thanks to portswigger and to all the contributors where I found those bypasses.

Okay lets start, I have found the XSS in the swag store of wordpress.org :D. In case you don’t know WordPress.org is running its bug bounty program in HackerOne so if you found a vulnerability in wordpress.org you can report it to them through their security page in hackerone just read the policies carefully and get some $$$ if the vulnerability you found is valid 😀

During my recon I tend to view it’s source code, maybe their are some good information I can get 😛 One thing that would catch my attention every time is that if there is:

So after reviewing the source code of https://mercantile.wordpress.org I found those two mentioned above, so the next step is to try to inject the bypasses that can be found in Portswigger’s blog.

The swag store has its search bar 😀 great way to inject our payload

Luckily in my first attempt using the bypass by @cure53 worked and then my chair starts to shake 😀 😀

This is the payload I used:

After loading in the browser a pop up occur with the domain name

Then I reported it to the security team and the issue was fixed in 3 working days 😀 then a month after a bounty is rewarded.

But I’m not contented that there is only 1 reflected XSS in that site after it was resolved I dig for more endpoints and I was amazed that there are 16 or more endpoints that is vulnerable to reflected XSS 😀 but it was only divided in to two reports decided by the security team. I have also found 2 stored XSS but it is self :3 both was already resolved and waiting only for the bounty 😀

But during my test I did not only inject the payload used by cure53, I also inject the payload used by albinowax in his report in Uber the payload can be seen here http://jsfiddle.net/8jd84f44/. But there are times that all those payload won’t work if you just put it directly :3. In my test I try to make some bypass to make it work, I did try to put a ? before the payload it looks like this  ? and it work out, sometimes I URL encode it multiple times to make it work and with all that bypasses I did get those XSS haha hoooray!

Thank you for taking some time to read this guys I hope I help some of you 😀 just keep on searching and if you found a bypass in angularjs I would be glad to hear it if you can share it with me also, you can DM me in my twitter https://twitter.com/timzaverin and let’s share some ideas 😀

I’m not that good in web application security but I love to share this because for me it is so amazing and I hope someone out there learned also through this blog 😀

Sometimes visit my friends blog for more Security talks 

https://roy-castillo.blogspot.com

Best Regards to all the Security Researcher’s out there.

Tom

tom0x0a — XSS using AngularJS sandbox bypass

Comments are closed, but trackbacks and pingbacks are open.