Tale of XSS in Angular

Summary

A security researcher describes how they leveraged automation and simple XSS payloads from GitHub to discover two reflected cross-site scripting (rXSS) vulnerabilities in Angular applications on newly found subdomains.

Abstract

The article details the researcher's methodology for discovering two instances of rXSS in Angular applications. Utilizing automation tools provided by the subscription-based service Findomain, the researcher identified new subdomains. With the aid of the browser extension Wappalyzer, it was determined that these subdomains were running Angular 1.6, a version known to be susceptible to XSS attacks. The researcher then successfully exploited a known XSS payload from the PayloadsAllTheThings repository to demonstrate the vulnerability on two subdomains. The reflected error message on the targeted pages was instrumental in the exploitation. Both vulnerabilities were reported and addressed within two days, with the researcher emphasizing the importance of escalating the impact of such vulnerabilities to demonstrate their potential severity.

Opinions

The author values the use of automation tools like Findomain for efficient reconnaissance and discovery of subdomains.
The author recommends using Wappalyzer to quickly identify the technologies used by target assets.
The researcher suggests that the impact of an XSS vulnerability can be significant, especially if the host has a wide domain that could allow the capture of cookies from authenticated users.
Despite the quick resolution of the reported vulnerabilities, the researcher implies that the severity of the rXSS might have been underestimated as "Low" due to the lack of demonstrated impact on authenticated users.

Automation helps get easy $$$ rXSS

Hello Security Researcher and Hackers

In this writeup I will explain how I was able to get 2 rXSS in Angular using automation and simple payloads in Github

First of all I will explain my recon automation and how I was able to detect the XSS in those 2 subdomains , I’m currently a subscriber to Findomain Maintained and created by Ed who originally created Findomain Public

His service allows you to add targets you want and perform a lot of cool stuff on the finding subdomains that looks as follows

and many more you can head over his website to check the packages his offers and you may ended up getting one for yourself

I was looking at my Telegram where I set up the incoming recently found subdomains and I saw 2 newly discovered ones and I wanted to take a small look at them, with Wappalyzer plugins saw the both assets are using Angular 1.6 where I previously saw that it has an XSS payload that works in Github

I tried to log in and I received an error since my email is not in the authorized organization https://redacted.com/Home/Error?error=User+Not+Auhtorized

Since the error was reflected on the page I directly parsed the XSS payload in Allpayloadsthings on Github and BOOM !!

Tried same thing for the other subdomain and I had the same behavior, I immediately reported the XSS and they got triaged and paid under 2 days

Tale of XSS in Angular

Automation helps get easy $$$ rXSS

Take-ways