- Step 1: Open terminal and switch to project directory
cd /root/angular-xss/xss- Step 2: Build the docker images for both frontend and the API
docker-compose build- Step 3: Start the app
docker-compose up -d- Step 4: Access the app on
http://<your-server-ip>:4200
Note: To fetch server ip type in
serveripin the terminal
-
Step 5: Signup as an admin, Enter some random email id and password, also enable the
Signup as an admincheckbox -
Step 6: Now it's time to login as an Admin, While logging in as an Admin enable
Signin as an adminflag -
Step 7: After successful login you should see
Add New Moviesoption in the Navigation bar -
Step 8: Now create some movies using that option
-
Step 9: While creating a new movies entry in the
Movie Linkinput you can add an XSS payload likejavascript:alert("Hacked!") -
Step 10: If you are successful in creating the movie now access the
Moviestab -
Step 11: Now click on the
Click Herebutton to see an attack taking place, This should pop up with an alert box stating that it isHacked! -
Step 12: You can repeat from
Step 9this time you try with a different payload likejavascript:alert(window.localStorage.getItem('token')) -
Step 13: If you are successful in the attack then you should see an alert box with a JWT token value.
- Step 1: Switch to project directory
cd /root/angular-xss/xss- Step 2: Bring down the app
docker-compose down