webPromedium

Lab 202 — WikiVault — AngularJS Client-Side Template Injection (XSS)

hackadvisor

Task: collaborative wiki platform with AngularJS 1.5.8 search page reflecting user input inside ng-app div without encoding curly braces; admin bot visits reported URLs. Solution: AngularJS CSTI with sandbox escape via charAt/trim override, Function constructor with String.fromCharCode to execute arbitrary JS, exfiltrate admin's non-HttpOnly flag cookie via same-origin comment POST.

$ ls tags/ techniques/

nodejs sandbox_escape xss cookie_stealing express admin_bot csti angularjs function_constructor same_origin_exfiltration client_side_template_injection fromcharcode

admin_bot_exploitationnon_httponly_cookie_theftangularjs_csti_sandbox_escapesame_origin_data_exfiltration_via_commentsfunction_constructor_arbitrary_jsstring_fromcharcode_parser_bypass

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 160 — WikiForge — Nginx Alias Path Traversal— hackadvisor
[web][Pro]Lab 330 — AuthVault — Blind LDAP Injection in Directory Lookup— hackadvisor
[web][Pro]Lanternfall— neurogrid
[web][Pro]Lab 16 — FileGate — Authentication Bypass in API Login— hackadvisor
[web][Pro]Lab 393 — ShareVault — Stored XSS via File Browser innerHTML— hackadvisor