Stored XSS on Angular JS 1.4.9
Hello, I am Vishal Bharad. I’m here to share about my findings on Stored XSS on Angular JS 1.4.9
About the Vulnerability :
For Discovering this bug I got the page in which I got the Input field which is Website Name and URL in which when other users click on that link the XSS will trigger.
When we simply put the Payload in URL parameter the website Rejects this only on Client side Like it gives an error. But When we put the same payload in the BurpSuite. It cannot validate this payload. which means the payload only validate on the client side.
Tools Used for this Vulnerability:
Steps to Reproduce:
I have tested on the one URL which framework is Angular JS 1.4.9. So Consider its a https://target.com
- 1. Go to https://target.com/<user_account>/UsefulLinks/ So There is a Fields one is Website Name and Other is URL.
- Here URL is the Vulnerable Parameter.
(When we simply put the Payload in URL parameter the website Rejects this only on Client side Like it gives an error. But When we put the same payload in the BurpSuite. It cannot validate this payload. which means the payload only validate on the client side.)
- In Website Name Type anything example “XSS” and In URL field put url like http://example.com
Vulnerable Code is
<div class="col-sm-12 form-group">
<label class="col-sm-5 control-label no-padding-right" for="UL_URL">URL<span class="red">*</span></label>
<input id="UL_URL" name="UL_URL" class="form-control required" placeholder="http://" type="text" value="http://"><span></span>
5. Click Submit and save.
6. Now when anyone click on that Website Name the XSS will Trigger in New window.
The attacker can steal data or Cookie from whoever click on the Useful Link.
Scripts or Payloads need to Validate and Sanitized on Server Side.
Looking forward to share more blogs
Linkedin Profile : https://www.linkedin.com/in/vishal-bharad-b476b388/