@mikewest @arturjanc @sirdarckcat @kkotowicz It seems that most client-side templating systems are by-passable due to "strict-dynamic".
Cool, then it's probably exploitable just like most reflected XSS in Angular apps! :)
-
-
I see a couple of themes in the bypasses: caches, relative URLs, templating, dangling markup
-
yea, we should be more creative :)
-
We should look into encodings
-
e.g. Use the injection to make something a valid script in a weird encoding to steal the nonce
-
Then use the cache to reuse the nonce.
-
Not sure yet how this would work, but given the injection it might work somehow.
-
mmm will think about it a bit
End of conversation
New conversation -
-
-
in Polymer, the sink is actually node.insert*(copy of templateEl.content) https://github.com/Polymer/polymer/blob/4be2e448e253aff6769858fd39e7ddca165ad0cb/src/lib/template/dom-repeat.html#L702 …
- 4 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.