Collaborate Disseminate
The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the U.K. National Cyber Security Centre recently released a rare joint statement warning of the rise of APT groups using phishing campaigns exploiting the wo… Continue reading Hackers Using APTs To Exploit Covid-19 Fears
The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the U.K. National Cyber Security Centre recently released a rare joint statement warning of the rise of APT groups using phishing campaigns exploiting the wo… Continue reading Hackers Using APTs To Exploit Covid-19 Fears
Last year in XSS Without HTML: Client-Side Template Injection with AngularJS we showed that naive use of the AngularJS framework exposes websites to Cross-Site Scripting (XSS) attacks, given a suitable sandbox escape. In this post, I’ll look at how to … Continue reading DOM based AngularJS sandbox escapes
Every experienced pentester knows there is a lot more to XSS than alert(1) – filtering, encoding, browser-quirks and WAFs all team up to keep things interesting. AngularJS Template Injection is no different. In this post, we will examine how we adapted… Continue reading Adapting AngularJS Payloads to Exploit Real World Applications
Every experienced pentester knows there is a lot more to XSS than <script>alert(1)</script> – filtering, encoding, browser-quirks and WAFs all team up to keep things interesting. AngularJS Template Injection is no different. In this post, we will examine how we adapted template injection payloads to bypass filtering and encoding and exploit Piwik and Uber.
Lower case conversion
Piwik, an Continue reading Adapting AngularJS Payloads to Exploit Real World Applications
Abstract
Naive use of the extremely popular JavaScript framework AngularJS is exposing numerous websites to Angular Template Injection. This relatively low profile sibling of server-side template injection can be combined with an Angular sandbox escap… Continue reading XSS without HTML: Client-Side Template Injection with AngularJS
Abstract
Naive use of the extremely popular JavaScript framework AngularJS is exposing numerous websites to Angular Template Injection. This relatively low profile sibling of server-side template injection can be combined with an Angular sandbox escap… Continue reading XSS without HTML: Client-Side Template Injection with AngularJS
Template engines are widely used by web applications to present dynamic data via web pages and emails. Unsafely embedding user input in templates enables Server-Side Template Injection, a frequently critical vulnerability that is extremely easy to mis… Continue reading Server-Side Template Injection
Template engines are widely used by web applications to present dynamic data via web pages and emails. Unsafely embedding user input in templates enables Server-Side Template Injection, a frequently critical vulnerability that is extremely easy to mis… Continue reading Server-Side Template Injection