pwneglyph logo

Note

web javascript angular cspt path-traversal same-origin

Trick Angular's client-built fetch URL into requesting another same-origin resource via surviving path separators or matrix params.

Angular CSPT / Client-Side Path Traversal to Same-Origin Resources

The client, not the server, constructs the fetch URL from route parameters. If path separators or matrix params survive into the constructed URL, the client can be tricked into fetching another same-origin resource — and same-origin means the browser sends cookies and exposes the response to Angular.

Why It Works

  • Route params flow into http.get("/api/.../" + id + ".json"); surviving traversal redirects the fetch.

Vulnerable Pattern

  • Angular routers/components using route params directly inside a constructed HTTP path.

Exploit Flow

  1. Inspect the router format; test whether encoded backslashes, %2f, or matrix params survive into the request path.
  2. Redirect the fetch toward another same-origin endpoint returning attacker-controlled or privilege-bearing content.
  3. Pair with an HTML sink like bypassSecurityTrustHtml() if the response is treated as markup.

Variations

  • Backslash traversal on Windows-aware normalizers, matrix params, or path-segment rewriting.

Common Blockers

  • URL normalization removing traversal, server-side routers rejecting the mutated path, or frontend schema checks on the returned JSON.

PoC Sketch

/article/..%5C..%5C..%5C..%5Cv1%5Cimage?view=1
/article/123;id=../../v1/image

Good Situations To Use It

  • Angular builds the fetch URL from route params.
  • Traversal/matrix params survive into the request.
  • Another same-origin endpoint is worth redirecting to.

Sources

  • fcsc2026/web/deep_blue