Burp community forum

Confirmed false-negative related to AngularJS XSS

Nicolas | Last updated: Jan 17, 2020 12:13PM UTC

Hi! Creating a new ticket given that the previous one 1) doesn't in my cases 2) isn't very clear https://support.portswigger.net/customer/en/portal/questions/17690810-false-negative-in-angularjs-xss- Burp Suite will not detect client-side template injections (aka a false-negative) when the 'ng-app' attribute is located _before_ the tags loading AngularJS Javascript files. https://docs.angularjs.org/api/ng/directive/ngApp DETECTED: <html><head> <script src="/js/angular-1.0.0.min.js"></script> <body ng-app> NOT DETECTED: <html><head ng-app> <script src="/js/angular-1.0.0.min.js"></script> <body>

Ben, PortSwigger Agent | Last updated: Jan 17, 2020 01:39PM UTC

Hi Nicolas, We are currently investigating the issue that you raised in the other ticket. We will get back to you when we have some further information.

You need to Log in to post a reply. Or register here, for free.