Current XSS Tier 1 also submits the attacked parameter to the server, so it might be confused with reflected XSS. Having a "classic" client-only DOM-based XSS vulnerability would be nice.
see https://github.com/eoftedal/writings/blob/master/published/owasp_top_10_for_js_-_xss.md
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
Implement, for instance, client-side sorting.
Possible resource(s) on implementation:
Question to the XSS pros out there: Can you exploit by injecting into gitHubRibbon
if ($location.search().gitHubRibbon) {
$rootScope.gitHubRibbon = $location.search().gitHubRibbon
}
when it's later used as follows in the middle of the src attribute:
<a ng-show="gitHubRibbon" href="/redirect?to=https://github.com/bkimminich/juice-shop"><img style="position: absolute; top: 0; right: 0; border: 0;" src="/public/images/ribbons/forkme_right_{{gitHubRibbon}}.png" alt="Fork me on GitHub"></a>
My naive attack attempt gitHubRibbon="><script>alert(xss)</script><!-- did not work.
鈩癸笍Please note: I do not want to wrap it into something like $sce.trustAsHtml() to make it artificially easy!
Is it implementable what @nunoloureiro said ? because we already have a anchor for search route i.e. /#/search. It would have been relevant if our routing was like /search#sort=x. and having two anchors is not possible as browsers use (#(.*))? for anchor parsing from URL. I was thinking of implementing DOM Xss in new tracking order functionality.
@CaptainFreak The new order tracking would be a perfect fresh place for this, I guess!
Are we still less of a DOM-based XSS ? @bkimminich :)
Ok, not really ... :-)
This thread has been automatically locked because it has not had recent activity after it was closed. :lock: Please open a new issue for regressions or related bugs.