webPromedium

Lab 202 — WikiVault — AngularJS Client-Side Template Injection (XSS)

hackadvisor

Task: collaborative wiki platform with AngularJS 1.5.8 search page reflecting user input inside ng-app div without encoding curly braces; admin bot visits reported URLs. Solution: AngularJS CSTI with sandbox escape via charAt/trim override, Function constructor with String.fromCharCode to execute arbitrary JS, exfiltrate admin's non-HttpOnly flag cookie via same-origin comment POST.

nodejs sandbox_escape xss cookie_stealing express admin_bot csti angularjs function_constructor same_origin_exfiltration client_side_template_injection fromcharcode

admin_bot_exploitationnon_httponly_cookie_theftangularjs_csti_sandbox_escapesame_origin_data_exfiltration_via_commentsfunction_constructor_arbitrary_jsstring_fromcharcode_parser_bypass

$ ls tags/ techniques/

nodejs sandbox_escape xss cookie_stealing express admin_bot csti angularjs function_constructor same_origin_exfiltration client_side_template_injection fromcharcode

admin_bot_exploitationnon_httponly_cookie_theftangularjs_csti_sandbox_escapesame_origin_data_exfiltration_via_commentsfunction_constructor_arbitrary_jsstring_fromcharcode_parser_bypass

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

Sign in with GitHub, Discord, or Google to continue. No email required.

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 72 — WriteFlow — Stored XSS via WYSIWYG Editor Sanitizer Bypass— hackadvisor
[web][Pro]Lab 160 — WikiForge — Nginx Alias Path Traversal— hackadvisor
[web][Pro]Lab 201 — HelpWave — Stored XSS via SVG Animation Event Handler Bypass— hackadvisor
[web][Pro]Lab 70 — LivePulse— hackadvisor
[web][Pro]Lab 76 — DocuWeave — Stored XSS via Diagram Rendering Attribute Injection— hackadvisor