Have you ever heard about publicwww? It’s a search engine for source code. So publicwww will fnd any alphanumeric snippet, signature or keyword in the web pages HTML, JS and CSS code. They have this list that you can search for:Advertising
Marketing
Analytics
Technologies
Frontend
Widgets
CMS
You can find it here https://publicwww.com
. They also have plans and pricing if you want to access their full database.
In Technologies list you can find AngularJS. If you click on it, it will search for "angular.min.js"
as keyword.
Now open one of those sites, find search box and search for {{191*7}}
to test the site is vulnerable or not. The result will be 1337
if it’s vulnerable.
After that find out the AngularJS version to detemine what payload you should used to trigger the XSS. You can use Wappalyzer for that. Find AngularJS payload on PortSwigger blog post by Gareth Heyes.
https://portswigger.net/research/xss-without-html-client-side-template-injection-with-angularjs
Use the payload to trigger XSS. In this case i use {{constructor.constructor('alert(/OPENBUGBOUNTY/)')()}}
and it’s popup nicely.
Reported to OpenBugBounty.org and approved.
Happy hacking! 🙂
Nice post.