How to find AngularJS XSS

Have you ever heard about publicwww? It’s a search engine for source code. So publicwww will fnd any alphanumeric snippet, signature or keyword in the web pages HTML, JS and CSS code. They have this list that you can search for:

Advertising
Marketing
Analytics
Technologies
Frontend
Widgets
CMS


You can find it here https://publicwww.com. They also have plans and pricing if you want to access their full database.

file:///tmp/.Y6HTS0/1.png

In Technologies list you can find AngularJS. If you click on it, it will search for "angular.min.js" as keyword.

file:///tmp/.Y6HTS0/2.png

Now open one of those sites, find search box and search for {{191*7}} to test the site is vulnerable or not. The result will be 1337 if it’s vulnerable.

file:///tmp/.Y6HTS0/3.png

After that find out the AngularJS version to detemine what payload you should used to trigger the XSS. You can use Wappalyzer for that. Find AngularJS payload on PortSwigger blog post by Gareth Heyes.

https://portswigger.net/research/xss-without-html-client-side-template-injection-with-angularjs

file:///tmp/.Y6HTS0/4.png

Use the payload to trigger XSS. In this case i use {{constructor.constructor('alert(/OPENBUGBOUNTY/)')()}} and it’s popup nicely.

file:///tmp/.Y6HTS0/5.png

Reported to OpenBugBounty.org and approved.

Happy hacking! 🙂

1 Reply to “How to find AngularJS XSS”

Leave a Reply