Finally some good use for my new infrastructure. I’ve had this small Angular app lying around, which I wrote for a presentation/demo on XSS a couple of years ago. So far, I’ve run it locally to demonstrate XSS vulnerabilities and how to exploit them. Now I have a place to put it and share it with others. You can find it here:
- Live XSS Demo App (hosted next to this blog)
- Docker Image
- Sources on Github
The Docker image doesn’t do TLS termination itself. Instead I’m using an nginx reverse-proxy for that, same as with this blog. Just had to add another nginx config file. And add the dedicated subdomain to my Let’s Encrypt configuration. There, done.
The XSS demo app may not be very intuitive, because the original target audience was just myself. But it comes with a brief guide. Just play around from there. I may add more inline documentation later…
Right now the focus is on XSS vulnerabilities in plain HTML, via the DOM, and via Angular. Not saying the latter are vulnerable themselves. But they are all prone to XSS, if used carelessly. I’m thinking about extending the list to other web front-end libs/components/frameworks/technologies, e.g. a WYSIWYG editor or a Markdown processor.