Member-only story
Tale of XSS in Angular
Hello Security Researcher and Hackers
In this writeup I will explain how I was able to get 2 rXSS in Angular using automation and simple payloads in Github
First of all I will explain my recon automation and how I was able to detect the XSS in those 2 subdomains , I’m currently a subscriber to Findomain Maintained and created by Ed who originally created Findomain Public
His service allows you to add targets you want and perform a lot of cool stuff on the finding subdomains that looks as follows
and many more you can head over his website to check the packages his offers and you may ended up getting one for yourself
I was looking at my Telegram where I set up the incoming recently found subdomains and I saw 2 newly discovered ones and I wanted to take a small look at them, with Wappalyzer plugins saw the both assets are using Angular 1.6 where I previously saw that it has an XSS payload that works in Github
I tried to log in and I received an error since my email is not in the authorized organization https://redacted.com/Home/Error?error=User+Not+Auhtorized
Since the error was reflected on the page I directly parsed the XSS payload in Allpayloadsthings on Github and BOOM !!
Tried same thing for the other subdomain and I had the same behavior, I immediately reported the XSS and they got triaged and paid under 2 days
Take-ways
Whenever you have an XSS try to escalate the impact for my case the host had wide domain which allows me to grab cookie of authenticated user but unfortunately was solved as Low since I didn’t show impact
