Stored XSS on Angular JS 1.4.9

Vishal Bharad
3 min readFeb 10, 2020

Introduction :

Hello, I am Vishal Bharad. I’m here to share about my findings on Stored XSS on Angular JS 1.4.9

Angular JS is a Javascript Framework used in Many Websites. But in this the XSS will not able to validate on the server side. Its only validate on the Client side. Means when we simply type payload in input field it gives an error. But when we put the payload in Burp Suite and then forward it. It actually Accept It.

About the Vulnerability :

For Discovering this bug I got the page in which I got the Input field which is Website Name and URL in which when other users click on that link the XSS will trigger.

When we simply put the Payload in URL parameter the website Rejects this only on Client side Like it gives an error. But When we put the same payload in the BurpSuite. It cannot validate this payload. which means the payload only validate on the client side.

Tools Used for this Vulnerability:

  1. BurpSuite

Steps to Reproduce:

I have tested on the one URL which framework is Angular JS 1.4.9. So Consider its a https://target.com

  1. 1. Go to https://target.com/<user_account>/UsefulLinks/ So There is a Fields one is Website Name and Other is URL.
  2. Here URL is the Vulnerable Parameter.
    (When we simply put the Payload in URL parameter the website Rejects this only on Client side Like it gives an error. But When we put the same payload in the BurpSuite. It cannot validate this payload. which means the payload only validate on the client side.)
  3. In Website Name Type anything example “XSS” and In URL field put url like http://example.com
  4. Click on submit and capture this request in Burp Suite. and In Burp Suite replace the URL which is http://example.com to the javascript:confirm(“Stored_XSS”);
Vulnerable Field

Vulnerable Code is

</div>
</div>
<div class="col-sm-12 form-group">
<label class="col-sm-5 control-label no-padding-right" for="UL_URL">URL<span class="red">*</span></label>
<div class="col-sm-4">
<input id="UL_URL" name="UL_URL" class="form-control required" placeholder="http://" type="text" value="http://"><span></span>
</div>
</div>
Burp Screenshot

5. Click Submit and save.

6. Now when anyone click on that Website Name the XSS will Trigger in New window.

Trigger XSS

Impact

The attacker can steal data or Cookie from whoever click on the Useful Link.

Remediation

Scripts or Payloads need to Validate and Sanitized on Server Side.

Thank You

Looking forward to share more blogs

Best Regards

Vishal Bharad

Linkedin Profile : https://www.linkedin.com/in/vishal-bharad-b476b388/

--

--

Vishal Bharad

Penetration Tester, Bug Bounty Hunter, Security Researcher